Play Ransomware Hit U.S. Using Windows Zero-Day Exploit

Hackers affiliated with the Play ransomware group exploited a now-patched Windows zero-day vulnerability to breach a U.S.-based organization, according to cybersecurity researchers. The flaw, identified as CVE-2025-29824, is a privilege escalation vulnerability in Microsoft’s Common Log File System (CLFS) driver. It had been actively exploited before Microsoft issued a security patch.

The Symantec Threat Hunter Team, part of Broadcom, attributed the intrusion to threat actors linked to Play ransomware. The attackers leveraged the vulnerability to gain higher system privileges during the incursion. The compromised organization, which has not been named, is located in the United States.

The incident highlights the continued use of zero-day exploits by ransomware operators to infiltrate targets before patches are released or applied. Microsoft has since addressed the flaw, but the attack underscores the urgency for organizations to implement timely security updates. Further details about the breach or the impacted organization remain undisclosed.