Play Ransomware Exploits Windows Flaw in Global Attacks

The Play ransomware gang exploited a high-severity zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System driver to gain SYSTEM privileges and deploy malware on targeted systems. This flaw enabled attackers to escalate privileges locally, with Microsoft confirming its exploitation in limited attacks against organizations in the U.S. IT and real estate sectors, Venezuela’s financial sector, a Spanish software company, and Saudi Arabia’s retail sector. While some attacks did not result in ransomware deployment, the attackers used a custom infostealer tool called Grixba, associated with the Balloonfly group behind Play ransomware. Microsoft and Symantec linked exploitation activity to both the Play ransomware operators and the threat group Storm-2460, who utilized the PipeMagic backdoor malware in campaigns. The attacks underscore the value ransomware groups place on privilege escalation vulnerabilities for expanding access within compromised networks. Microsoft addressed the flaw in April 2025’s Patch Tuesday, urging organizations to apply the fix to mitigate ongoing threats.