<ul><li>The Play ransomware gang exploited a Windows Common Log File System flaw in zero-day attacks to deploy malware, gaining SYSTEM privileges on compromised systems.</li><li>The vulnerability, CVE-2025-29824, allowed attackers to elevate privileges locally, leading to confirmed exploits in the wild by the Play ransomware gang.</li><li>Microsoft addressed the flaw in April's Patch Tuesday security updates, after it was added to the Known Exploited Vulnerabilities catalog by CISA.</li><li>The exploit was used by multiple threat actors before being patched, with connections to malware like PipeMagic and Storm-2460, used by Balloonfly cybercrime group.</li></ul>

Play ransomware affiliate leveraged zero-day to deploy malware

Discover more