The Play ransomware gang has recently made headlines by exploiting a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824. This zero-day flaw has allowed the group to gain SYSTEM privileges and deploy malware on compromised systems, showcasing a sophisticated approach to cyberattacks.
CVE-2025-29824, which carries a CVSS score of 7.8, is categorized as a “Use after free” vulnerability within the Windows Common Log File System Driver. This flaw enables an authorized attacker to elevate privileges locally, a capability that has been confirmed to have been exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recognized the severity of this vulnerability and added it to its Known Exploited Vulnerabilities (KEV) catalog in April.
Microsoft addressed this vulnerability during its April Patch Tuesday security updates. However, the company acknowledged that it had been exploited in a limited number of attacks targeting various sectors, including information technology and real estate in the United States, as well as the retail sector in Saudi Arabia.
According to researchers from Symantec’s Threat Hunter Team, the Play ransomware gang utilized the CVE-2025-29824 exploit in an attack against a U.S. organization. The report highlighted that the attackers executed a zero-day privilege escalation exploit prior to the public disclosure and patching of the vulnerability on April 8, 2025. Although the attackers did not deploy a ransomware payload during this intrusion, they did use the Grixba infostealer, a custom tool associated with the Balloonfly group, which is linked to the Play ransomware operation.
The Balloonfly cybercrime group has been active since at least June 2022, primarily known for employing Play ransomware (also referred to as PlayCrypt) in its attacks. This group has targeted numerous organizations across North America, South America, and Europe.
Symantec’s findings indicate that the attackers initially exploited a public-facing Cisco ASA firewall to gain entry. Once inside a Windows system, they deployed tools such as Grixba alongside the CVE-2025-29824 exploit. Utilizing PowerShell, they gathered information from Active Directory, exploited the CLFS driver vulnerability to escalate privileges, and executed malicious DLLs and scripts to steal credentials. Additionally, the attackers created administrative accounts and took measures to obscure their activities. The exploit capitalized on race conditions in driver memory handling, allowing them to gain kernel access, manipulate files, and maintain persistence through scheduled tasks.
Before the patch was released, the CVE-2025-29824 exploit was reportedly used by multiple threat actors. Microsoft has linked it to other malware, including PipeMagic and Storm-2460, while Symantec noted distinct, non-fileless usage by Balloonfly.
While the deployment of zero-day vulnerabilities by ransomware actors is relatively uncommon, it is not without precedent, as highlighted in the Symantec report.
