ansomware Attackers Leveraged Privilege Escalation Zero-day
Broadcom, Wednesday, May 7th, 2025
Exploit used by Play-linked attackers targets the CVE-2025-29824 zero-day vulnerability patched on April 8.
Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025.
Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation.