Ransomware attackers have been exploiting vulnerabilities in the Windows Common Log File System (CLFS) driver to carry out malicious activities [6]. These vulnerabilities have allowed attackers to escalate privileges and gain unauthorized access to systems [7].


The attackers have been exploiting multiple vulnerabilities in the CLFS driver [2] [6] [7]. One of these vulnerabilities [1] [2] [6] [8], known as CVE-2023-23376 [5], was discovered by the Microsoft Threat Intelligence Center and the Microsoft Security Response Center [5]. It allowed attackers to manipulate the CLFSCONTROLRECORD structure and pass malicious indexes, ultimately corrupting other BLF files [5]. Another vulnerability, CVE-2023-28252 [1] [4] [7] [8], targeted the CLFSCONTROLRECORD and bypassed index verification [1] [8]. Although the root cause of this vulnerability is different [1], it also made patches to the BLF file.

These vulnerabilities in the CLFS component of Windows OS are related to how blocks are read and written to disk, with inconsistencies in the checks performed [1] [8]. Ransomware attackers have leveraged these vulnerabilities to infiltrate systems and carry out their attacks. While the exact details of how these vulnerabilities are being exploited are not publicly known [6], it is believed that attackers are using sophisticated techniques [6], including social engineering tactics [6], phishing emails [6], and drive-by downloads [6].

Numerous organizations across various sectors have fallen victim to these ransomware attacks, highlighting the urgent need for enhanced security measures [6]. To mitigate the risk posed by these vulnerabilities [6], it is crucial for organizations and individuals to implement robust security measures [6]. This includes keeping software and operating systems up to date with the latest patches and security updates [6], using reputable antivirus software [6], and regularly backing up important data [6]. Additionally, organizations should implement best security practices [3], install security updates [2] [3] [6] [7], use security products [3] [7], restrict server access [3] [7], and provide employee training to prevent spear-phishing attacks [3] [7].


The exploitation of vulnerabilities in the CLFS driver has had significant impacts, with numerous organizations falling victim to ransomware attacks. It is essential for organizations and individuals to take proactive steps to enhance their security measures and mitigate the risk posed by these vulnerabilities. By implementing robust security practices and staying vigilant against sophisticated attack techniques, the impact of these vulnerabilities can be minimized.


[1] https://www.443news.com/2023/12/windows-clfs-and-five-exploits-used-by-ransomware-operators-exploit-5-cve-2023-28252/
[2] https://healsecurity.com/ransomware-attackers-abuse-multiple-windows-clfs-driver-zero-days/
[3] https://jn66dataanalytics.com/news/ransomware-attackers-abuse-multiple-windows-clfs-driver-zero-days-dark-reading
[4] https://esystematics.com/blog/windows-clfs-and-five-exploits-used-by-ransomware-operators-exploit-2-september-2022/
[5] https://malware.news/t/windows-clfs-and-five-exploits-used-by-ransomware-operators-exploit-4-cve-2023-23376/76933
[6] https://platodata.network/platowire/multiple-windows-clfs-driver-zero-days-exploited-by-ransomware-attackers/
[7] https://www.darkreading.com/vulnerabilities-threats/ransomware-attackers-abuse-windows-clfs-driver-zero-days
[8] https://gixtools.net/2023/12/windows-clfs-and-five-exploits-used-by-ransomware-operators-exploit-5-cve-2023-28252/