Security News > 2023 > April > Windows zero-day vulnerability exploited in ransomware attacks
Microsoft has patched a zero-day vulnerability in the Windows Common Log File System, actively exploited by cybercriminals to escalate privileges and deploy Nokoyawa ransomware payloads.
In light of its ongoing exploitation, CISA also added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities today, ordering Federal Civilian Executive Branch agencies to secure their systems against it by May 2nd. Tracked as CVE-2023-28252, this CLFS security flaw was discovered by Genwei Jiang of Mandiant and Quan Jin of DBAPPSecurity's WeBin Lab.
It affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction.
Security researchers with Kaspersky's Global Research and Analysis Team also recently found the CVE-2023-28252 flaw exploited in Nokoyawa ransomware attacks.
"Kaspersky researchers uncovered the vulnerability in February as a result of additional checks into a number of attempts to execute similar elevation of privilege exploits on Microsoft Windows servers belonging to different small and medium-sized businesses in the Middle Eastern and North American regions," the company said in a press release.
Redmond has patched at least 32 local privilege escalation vulnerabilities in the Windows CLFS driver since 2018, with three of them also exploited in the wild as zero-days, according to Kaspersky.
News URL
Related news
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- Apple fixes zero-day exploited in 'extremely sophisticated' attacks (source)
- Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) (source)
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-11 | CVE-2023-28252 | Out-of-bounds Write vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |