Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
Summary:
In an attempted attack against a U.S. organization, threat actors linked to the Play ransomware group (Balloonfly) exploited a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS) driver to gain elevated privileges. Initial access was likely obtained through a vulnerable public-facing Cisco ASA firewall, allowing the attackers to pivot to a Windows machine within the network. Although no ransomware was deployed, the attackers dropped the Grixba infostealer, a tool associated with Balloonfly, and planted malicious files disguised as legitimate software to support reconnaissance and exploitation efforts.
After achieving privilege escalation through the CLFS exploit, the attackers created a malicious DLL to inject into the winlogon.exe process and used it to drop batch files. These scripts enabled registry hive dumping, creation of a backdoor user with admin privileges, and task scheduling to maintain persistent access and automate malicious activities. Researchers note that the exploitation involved complex manipulation of kernel memory by racing I/O operations, exploiting the asynchronous handling of file cleanup and control requests. Post-exploitation cleanup routines were also executed to erase artifacts and cover tracks, showing a high level of operational sophistication.
Security Officer Comments:
The latest incident underscores a growing trend among ransomware groups leveraging zero-day vulnerabilities to gain initial access and escalate privileges, setting the stage for destructive attacks. For example, in 2024, Cl0p ransomware actors exploited a previously unknown vulnerability (CVE-2024-50623) in Cleo’s managed file transfer platforms (Harmony, VLTrader, and LexiCom) to breach dozens of organizations and exfiltrate sensitive data later used as leverage in ransom demands.
In terms of the recent exploitation of CVE-2025-29824, Microsoft reported that the vulnerability had also been weaponized by the PipeMagic malware, commonly associated with the Storm-2460 group, which has a history of deploying ransomware. This overlap suggests that multiple threat actors may have had access to the exploit prior to its disclosure and patching, raising the possibility of shared tooling or coordination within the cybercriminal ecosystem. While it remains unclear whether the Play ransomware operators were the first to discover the vulnerability, the simultaneous use of the same exploit by distinct groups points to a broader exploitation campaign.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls, so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.security.com/threat-intelligence/play-ransomware-zero-day
In an attempted attack against a U.S. organization, threat actors linked to the Play ransomware group (Balloonfly) exploited a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS) driver to gain elevated privileges. Initial access was likely obtained through a vulnerable public-facing Cisco ASA firewall, allowing the attackers to pivot to a Windows machine within the network. Although no ransomware was deployed, the attackers dropped the Grixba infostealer, a tool associated with Balloonfly, and planted malicious files disguised as legitimate software to support reconnaissance and exploitation efforts.
After achieving privilege escalation through the CLFS exploit, the attackers created a malicious DLL to inject into the winlogon.exe process and used it to drop batch files. These scripts enabled registry hive dumping, creation of a backdoor user with admin privileges, and task scheduling to maintain persistent access and automate malicious activities. Researchers note that the exploitation involved complex manipulation of kernel memory by racing I/O operations, exploiting the asynchronous handling of file cleanup and control requests. Post-exploitation cleanup routines were also executed to erase artifacts and cover tracks, showing a high level of operational sophistication.
Security Officer Comments:
The latest incident underscores a growing trend among ransomware groups leveraging zero-day vulnerabilities to gain initial access and escalate privileges, setting the stage for destructive attacks. For example, in 2024, Cl0p ransomware actors exploited a previously unknown vulnerability (CVE-2024-50623) in Cleo’s managed file transfer platforms (Harmony, VLTrader, and LexiCom) to breach dozens of organizations and exfiltrate sensitive data later used as leverage in ransom demands.
In terms of the recent exploitation of CVE-2025-29824, Microsoft reported that the vulnerability had also been weaponized by the PipeMagic malware, commonly associated with the Storm-2460 group, which has a history of deploying ransomware. This overlap suggests that multiple threat actors may have had access to the exploit prior to its disclosure and patching, raising the possibility of shared tooling or coordination within the cybercriminal ecosystem. While it remains unclear whether the Play ransomware operators were the first to discover the vulnerability, the simultaneous use of the same exploit by distinct groups points to a broader exploitation campaign.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls, so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.security.com/threat-intelligence/play-ransomware-zero-day