CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2023-28252 Explained: Windows CLFS Driver Zero-Day Used by Nokoyawa Ransomware

A zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver exploited by the Nokoyawa ransomware group to achieve SYSTEM privileges before deploying ransomware. One in a series of CLFS zero-days exploited in ransomware campaigns.

Sources:NVD|Microsoft Security Advisory CVE-2023-28252|Kaspersky, Windows CLFS and Five Exploits Used by Ransomware Operators|CISA Known Exploited Vulnerabilities Catalog
7.8
CVSS Score
0-day
Exploited before April 2023 Patch Tuesday
SYSTEM
Privilege level achieved
5+
CLFS zero-days exploited in the wild (2022–2023)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2023-28252 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver, patched on April 11, 2023. It was discovered by Kaspersky researchers actively being exploited by the Nokoyawa ransomware group as part of their pre-deployment privilege escalation chain. A low-privileged user on a Windows system can exploit the flaw to achieve SYSTEM-level privileges by providing a specially crafted log file to the CLFS driver.

CVE-2023-28252 is part of a broader pattern: Kaspersky documented five separate CLFS zero-days exploited in ransomware operations between 2022 and 2023. The CLFS driver's combination of kernel-mode operation and user-accessible log files makes it a recurring target for threat actors seeking reliable, undetected privilege escalation paths.

Windows CLFS and Why Ransomware Groups Target It

The Windows Common Log File System is a high-performance transaction logging engine built into the Windows kernel since Windows Server 2003 R2. It is used by the kernel Transaction Manager, NTFS metadata logging, and numerous other Windows subsystems. Critically, CLFS log files (.blf and associated container files) are written and read from user mode, applications can create CLFS log stores that are then processed by the kernel-mode CLFS driver.

This user-to-kernel interface creates an attack surface: if the CLFS driver mishandles a malformed log file from user mode, the corruption occurs in kernel context. Ransomware operators have systematically discovered and exploited CLFS parsing flaws because:

  1. CLFS operates in the kernel, successful exploitation yields kernel-level code execution (SYSTEM)
  2. Creating and opening log files is a normal, low-privileged operation, no special permissions are needed to trigger the vulnerability
  3. CLFS exploitation can be done without spawning suspicious child processes or making anomalous API calls, making it harder for EDR products to detect
  4. A reliable kernel EoP allows ransomware operators to terminate protected security processes, disable tamper protection, and deploy ransomware binaries without interference
1

Gain initial low-privilege access to target system

Ransomware operators obtain initial access via phishing, credential stuffing, or exploitation of an internet-facing service. The initial foothold is typically at standard user or service account privilege level.

2

Create specially crafted CLFS log file

The exploit creates a malformed CLFS log file (.blf) with carefully constructed file content that triggers the heap corruption condition in the CLFS kernel driver when parsed. The file is created via normal user-mode file operations.

3

Trigger CLFS driver to parse the malformed file

The exploit opens the malformed CLFS log store, causing the kernel-mode CLFS driver to parse the file. The parsing code encounters the malformed structure and corrupts adjacent kernel heap memory.

4

Achieve SYSTEM code execution via kernel heap corruption

The controlled heap corruption overwrites kernel objects to hijack execution flow. The exploit redirects the kernel to execute attacker shellcode in kernel mode, granting SYSTEM privileges to the calling process.

5

Terminate security software and deploy ransomware

With SYSTEM privileges, Nokoyawa disabled endpoint protection, terminated security services, deleted volume shadow copies, and deployed the ransomware encryptor across the compromised environment.

The CLFS Zero-Day Series: A Sustained Attack Pattern

Kaspersky's research on CVE-2023-28252 was part of a broader investigation into ransomware privilege escalation techniques. They identified five separate CLFS zero-days exploited in the wild across 2022 and 2023, all used by ransomware operators for pre-deployment privilege escalation:

CVE-2022-24521 (April 2022 Patch Tuesday, zero-day) CVE-2022-37969 (September 2022 Patch Tuesday, zero-day) CVE-2023-23376 (February 2023 Patch Tuesday, zero-day) CVE-2023-28252 (April 2023 Patch Tuesday, zero-day)

The consistent pattern, a new CLFS zero-day exploited in ransomware campaigns nearly every quarter, indicates that professional ransomware operators have invested significantly in CLFS exploit research and have a pipeline of vulnerabilities to use as each is patched.

This pattern also indicates that patching CVE-2023-28252 alone does not resolve the underlying risk. Microsoft has been working to harden the CLFS driver architecture, but the sustained series of exploitable parsing flaws reflects a complex legacy codebase with a wide attack surface.

CLFS is a particularly attractive target for ransomware groups because kernel-level code execution allows them to disable security products that otherwise protect against ransomware deployment. We have now identified five separate CLFS zero-days exploited in ransomware campaigns.

Kaspersky, April 2023
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Mitigating CVE-2023-28252

CVE-2023-28252 is patched in the April 2023 cumulative update for all affected Windows versions. There is no standalone mitigation, the vulnerability requires local code execution to exploit, so the prerequisite is preventing the initial access that enables local execution.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2023-28252 is a reminder that zero-days do not only appear in perimeter-facing software. Ransomware operators routinely purchase or develop kernel privilege escalation zero-days because they are high-value tools, they allow reliable SYSTEM access on any Windows machine, regardless of what endpoint security is installed. A kernel exploit bypasses protections that rely on user-mode agent integrity.

The CLFS zero-day series demonstrates that professional ransomware groups maintain exploit inventories and cycle through them as each is patched. Patching is necessary, but it solves last quarter's exploit. The more durable defence is reducing the initial access opportunities that allow ransomware operators to reach the privilege escalation stage in the first place.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2023-28252?

CVE-2023-28252 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. A low-privileged local user can exploit a flaw in how CLFS parses specially crafted log files to corrupt kernel memory and achieve SYSTEM-level code execution. Exploitation requires local code execution, the attacker must already have access to the system at a low privilege level.

What is the Windows CLFS driver and why is it targeted?

The Windows Common Log File System (CLFS) is a general-purpose logging subsystem built into the Windows kernel, used by the kernel itself and many Windows subsystems for transaction logging. Because it operates in kernel mode and handles log files that can be manipulated from user mode, CLFS is an attractive privilege escalation target. Kaspersky documented five separate CLFS zero-days exploited in the wild between 2022 and 2023, all by ransomware operators.

Why do ransomware groups use Windows CLFS zero-days?

Ransomware operators typically gain initial access at a standard user privilege level (via phishing, credential theft, or exploiting a service). Before deploying ransomware, they need to escalate to SYSTEM or domain admin to disable security software, encrypt system files, and maximise impact. CLFS zero-days provide a reliable kernel-level privilege escalation step that bypasses EDR detection better than well-known public exploits.

Was CVE-2023-28252 a zero-day?

Yes. Kaspersky discovered CVE-2023-28252 being actively exploited by the Nokoyawa ransomware group before any patch existed. Microsoft patched it on April 11, 2023 as part of Patch Tuesday, explicitly noting in the advisory that the vulnerability was being exploited in the wild. It was one of two zero-days in the April 2023 Patch Tuesday.

Which Windows versions are affected by CVE-2023-28252?

All supported Windows versions are affected: Windows 10 (all supported versions), Windows 11, Windows Server 2008 R2 and later (all supported versions). The CLFS driver is a core Windows component present across all modern Windows releases. Apply the April 2023 cumulative update or later.

How does CVE-2023-28252 achieve kernel-level privilege escalation?

The CLFS driver processes log file metadata in kernel mode without sufficient bounds validation. CVE-2023-28252 is an out-of-bounds write: by crafting a specially structured CLFS log file and invoking CLFS APIs, a low-privileged user triggers a controlled kernel heap write that corrupts adjacent memory. The exploit overwrites kernel security-relevant data structures, specifically the process token, replacing it with a SYSTEM-level token. Nokoyawa ransomware used this technique to elevate from a compromised standard user account to SYSTEM privileges before executing their ransomware encryptor, bypassing UAC and EDR controls that monitor for unauthorized privilege escalation via other methods.

Sources & references

  1. NVD
  2. Microsoft Security Advisory CVE-2023-28252
  3. Kaspersky, Windows CLFS and Five Exploits Used by Ransomware Operators
  4. CISA Known Exploited Vulnerabilities Catalog

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.