In early May 2025, cybersecurity researchers from Symantec's Threat Hunter Team reported that the Play ransomware group exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, to breach a U.S.-based organization. This flaw, located in the Common Log File System (CLFS) driver, was patched by Microsoft in April 2025.The Hacker News+4The Hacker News+4The Hacker News+4
The attackers likely gained initial access through a public-facing Cisco Adaptive Security Appliance (ASA). Once inside, they moved laterally within the network, deploying a custom information stealer named Grixba. This malware was disguised as legitimate Palo Alto Networks software and placed in the system's Music folder.
During the exploitation process, two files were created in the "C:\ProgramData\SkyPDF" directory:The Hacker News+1The Hacker News+1
PDUDrv.blf: A base log file associated with CLFS, serving as an artifact of the exploitation.
clssrv.inf: A DLL injected into the "winlogon.exe" process, capable of deploying two batch files.
One batch file, "servtask.bat," was used to escalate privileges, extract sensitive registry hives (SAM, SYSTEM, and SECURITY), and create a new user account named "LocalSvc" with administrative rights. The other, "cmdpostfix.bat," was designed to clean up traces of the intrusion.
Notably, no ransomware payload was deployed during this attack, suggesting a focus on reconnaissance and data exfiltration. Symantec's findings indicate that exploits for CVE-2025-29824 may have been available to multiple threat actors prior to Microsoft's patch release. This incident underscores the growing trend of ransomware groups leveraging zero-day vulnerabilities to infiltrate target networks.
SOURCE: https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html