Threat actors associated with the Play ransomware group exploited a Windows zero-day vulnerability, CVE-2025-29824, prior to its patching by Microsoft. This flaw in the Common Log File System (CLFS) driver allowed attackers to escalate privileges, deploy custom malware disguised as Palo Alto Networks tools, and extract sensitive registry hives. The breach targeted a U.S. organization, highlighting the increasing trend of ransomware groups leveraging zero-day vulnerabilities for initial access.

‍