Pierluigi Paganini
May 07, 2025
The Play ransomware gang has exploited a Windows Common Log File System flaw, tracked as CVE-2025-29824, in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
The vulnerability CVE-2025-29824, (CVSS score of 7.8) is a Use after free in Windows Common Log File System Driver that allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this flaw could gain SYSTEM privileges, Microsoft confirmed that the vulnerability has been exploited in attacks in the wild.
In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Microsoft addressed the flaw in April’s Patch Tuesday security updates, and the IT giant confirmed that the flaw has been exploited in a limited number of attacks against entities worldwide, including organizations in the information technology (IT) and real estate sectors of the United States, and the retail sector in Saudi Arabia.
Researchers at Symantec’s Threat Hunter Team reported that the Play ransomware gang used a CVE-2025-29824 zero-day exploit in an attack against a U.S. organization.
“Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025.” reads the report published by Symantec. “Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation.”
The Balloonfly cybercrime group has been active since at least June 2022 and is known for using the Play ransomware (also known as PlayCrypt) in attacks. The group targeted a large number of organizations in North America, South America, and Europe.
According to Symatec, attackers exploited a public-facing Cisco ASA firewall as initial infection vector. Once gained access to a Windows system, they deployed tools like Grixba and the CVE-2025-29824 exploit. The attackers used PowerShell to gather information from Active Directory, exploited a vulnerability in the CLFS driver to gain higher privileges, and ran malicious DLLs and scripts to steal credentials. The attackers also created admin accounts performed operations to cover their tracks.The exploit abused race conditions in driver memory handling to gain kernel access, manipulate files, and maintain persistence using scheduled tasks.
The CVE-2025-29824 exploit was used by multiple threat actors before being patched. Microsoft linked it to PipeMagic malware and Storm-2460, while Symantec observed different, non-fileless use by Balloonfly.
“While the use of zero-day vulnerabilities by ransomware actors is rare, it is not unprecedented.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
