CVE-2023-28252 Explained: Windows CLFS Driver Zero-Day Used by Nokoyawa Ransomware
A zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver exploited by the Nokoyawa ransomware group to achieve SYSTEM privileges before deploying ransomware. One in a series of CLFS zero-days exploited in ransomware campaigns.
CVE-2023-28252 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver, patched on April 11, 2023. It was discovered by Kaspersky researchers actively being exploited by the Nokoyawa ransomware group as part of their pre-deployment privilege escalation chain. A low-privileged user on a Windows system can exploit the flaw to achieve SYSTEM-level privileges by providing a specially crafted log file to the CLFS driver.
CVE-2023-28252 is part of a broader pattern: Kaspersky documented five separate CLFS zero-days exploited in ransomware operations between 2022 and 2023. The CLFS driver's combination of kernel-mode operation and user-accessible log files makes it a recurring target for threat actors seeking reliable, undetected privilege escalation paths.
Windows CLFS and Why Ransomware Groups Target It
The Windows Common Log File System is a high-performance transaction logging engine built into the Windows kernel since Windows Server 2003 R2. It is used by the kernel Transaction Manager, NTFS metadata logging, and numerous other Windows subsystems. Critically, CLFS log files (.blf and associated container files) are written and read from user mode — applications can create CLFS log stores that are then processed by the kernel-mode CLFS driver.
This user-to-kernel interface creates an attack surface: if the CLFS driver mishandles a malformed log file from user mode, the corruption occurs in kernel context. Ransomware operators have systematically discovered and exploited CLFS parsing flaws because:
1. CLFS operates in the kernel — successful exploitation yields kernel-level code execution (SYSTEM) 2. Creating and opening log files is a normal, low-privileged operation — no special permissions are needed to trigger the vulnerability 3. CLFS exploitation can be done without spawning suspicious child processes or making anomalous API calls — making it harder for EDR products to detect 4. A reliable kernel EoP allows ransomware operators to terminate protected security processes, disable tamper protection, and deploy ransomware binaries without interference
Gain initial low-privilege access to target system
Ransomware operators obtain initial access via phishing, credential stuffing, or exploitation of an internet-facing service. The initial foothold is typically at standard user or service account privilege level.
Create specially crafted CLFS log file
The exploit creates a malformed CLFS log file (.blf) with carefully constructed file content that triggers the heap corruption condition in the CLFS kernel driver when parsed. The file is created via normal user-mode file operations.
Trigger CLFS driver to parse the malformed file
The exploit opens the malformed CLFS log store, causing the kernel-mode CLFS driver to parse the file. The parsing code encounters the malformed structure and corrupts adjacent kernel heap memory.
Achieve SYSTEM code execution via kernel heap corruption
The controlled heap corruption overwrites kernel objects to hijack execution flow. The exploit redirects the kernel to execute attacker shellcode in kernel mode, granting SYSTEM privileges to the calling process.
Terminate security software and deploy ransomware
With SYSTEM privileges, Nokoyawa disabled endpoint protection, terminated security services, deleted volume shadow copies, and deployed the ransomware encryptor across the compromised environment.
The CLFS Zero-Day Series: A Sustained Attack Pattern
Kaspersky's research on CVE-2023-28252 was part of a broader investigation into ransomware privilege escalation techniques. They identified five separate CLFS zero-days exploited in the wild across 2022 and 2023, all used by ransomware operators for pre-deployment privilege escalation:
CVE-2022-24521 (April 2022 Patch Tuesday — zero-day) CVE-2022-37969 (September 2022 Patch Tuesday — zero-day) CVE-2023-23376 (February 2023 Patch Tuesday — zero-day) CVE-2023-28252 (April 2023 Patch Tuesday — zero-day)
The consistent pattern — a new CLFS zero-day exploited in ransomware campaigns nearly every quarter — indicates that professional ransomware operators have invested significantly in CLFS exploit research and have a pipeline of vulnerabilities to use as each is patched.
This pattern also indicates that patching CVE-2023-28252 alone does not resolve the underlying risk. Microsoft has been working to harden the CLFS driver architecture, but the sustained series of exploitable parsing flaws reflects a complex legacy codebase with a wide attack surface.
“CLFS is a particularly attractive target for ransomware groups because kernel-level code execution allows them to disable security products that otherwise protect against ransomware deployment. We have now identified five separate CLFS zero-days exploited in ransomware campaigns.”
— Kaspersky, April 2023
Patching and Mitigating CVE-2023-28252
CVE-2023-28252 is patched in the April 2023 cumulative update for all affected Windows versions. There is no standalone mitigation — the vulnerability requires local code execution to exploit, so the prerequisite is preventing the initial access that enables local execution.
Apply the April 2023 Windows cumulative update
Install the April 11, 2023 cumulative update (KB5025221 for Windows 10 21H2, KB5025224 for Windows 11, and equivalent KBs for Server versions). Verify via Settings > Windows Update or wmic qfe list on the command line.
Prioritise initial access prevention as the primary control
CLFS elevation of privilege requires the attacker to already have code execution on the target — it is a post-exploitation tool. The primary defence is preventing the initial access that grants that foothold: phishing-resistant MFA, credential hygiene, email security, and patched perimeter services.
Enable credential guard and attack surface reduction rules
Microsoft Defender's Attack Surface Reduction (ASR) rules, specifically those blocking child processes of Office applications and blocking credential theft from LSASS, reduce the effectiveness of post-exploitation chains that would use CLFS escalation. Enable these rules in enforcement mode where feasible.
Monitor for kernel exploit indicators in EDR telemetry
Look for unexpected privilege escalation events (processes acquiring SYSTEM tokens from non-SYSTEM parents), CLFS log file creation followed by rapid privilege changes, and the specific Nokoyawa file naming conventions documented in Kaspersky's analysis. Modern EDRs include CLFS exploit detection following the public disclosure.
The bottom line
CVE-2023-28252 is a reminder that zero-days do not only appear in perimeter-facing software. Ransomware operators routinely purchase or develop kernel privilege escalation zero-days because they are high-value tools — they allow reliable SYSTEM access on any Windows machine, regardless of what endpoint security is installed. A kernel exploit bypasses protections that rely on user-mode agent integrity.
The CLFS zero-day series demonstrates that professional ransomware groups maintain exploit inventories and cycle through them as each is patched. Patching is necessary, but it solves last quarter's exploit. The more durable defence is reducing the initial access opportunities that allow ransomware operators to reach the privilege escalation stage in the first place.
Frequently asked questions
What is CVE-2023-28252?
CVE-2023-28252 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. A low-privileged local user can exploit a flaw in how CLFS parses specially crafted log files to corrupt kernel memory and achieve SYSTEM-level code execution. Exploitation requires local code execution — the attacker must already have access to the system at a low privilege level.
What is the Windows CLFS driver and why is it targeted?
The Windows Common Log File System (CLFS) is a general-purpose logging subsystem built into the Windows kernel, used by the kernel itself and many Windows subsystems for transaction logging. Because it operates in kernel mode and handles log files that can be manipulated from user mode, CLFS is an attractive privilege escalation target. Kaspersky documented five separate CLFS zero-days exploited in the wild between 2022 and 2023 — all by ransomware operators.
Why do ransomware groups use Windows CLFS zero-days?
Ransomware operators typically gain initial access at a standard user privilege level (via phishing, credential theft, or exploiting a service). Before deploying ransomware, they need to escalate to SYSTEM or domain admin to disable security software, encrypt system files, and maximise impact. CLFS zero-days provide a reliable kernel-level privilege escalation step that bypasses EDR detection better than well-known public exploits.
Was CVE-2023-28252 a zero-day?
Yes. Kaspersky discovered CVE-2023-28252 being actively exploited by the Nokoyawa ransomware group before any patch existed. Microsoft patched it on April 11, 2023 as part of Patch Tuesday, explicitly noting in the advisory that the vulnerability was being exploited in the wild. It was one of two zero-days in the April 2023 Patch Tuesday.
Which Windows versions are affected by CVE-2023-28252?
All supported Windows versions are affected: Windows 10 (all supported versions), Windows 11, Windows Server 2008 R2 and later (all supported versions). The CLFS driver is a core Windows component present across all modern Windows releases. Apply the April 2023 cumulative update or later.
Sources & references
- NVD
- Microsoft Security Advisory CVE-2023-28252
- Kaspersky — Windows CLFS and Five Exploits Used by Ransomware Operators
- CISA Known Exploited Vulnerabilities Catalog
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.