🟒 CVE-2025-62221

A use-after-free vulnerability in Windows Cloud Files Mini Filter Driver allows local privilege escalation. Despite being in CISA KEV indicating active exploitation, this requires local authenticated access and cannot be exploited directly from the internet.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 β€” Exploitation for Privilege Escalation
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-12-09

Added to CISA KEV: 2025-12-09 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2025-62221 is a high-severity security vulnerability affecting the Windows Cloud Files Mini Filter Driver (`cldflt.sys`) [6] [7]. Below is the summary of known information regarding this flaw:

Active Exploitation and Threat Actor Usage
  • Status: The vulnerability was identified as being under active exploitation in the wild at the time of its disclosure in December 2025 [4] [5].
  • CISA KEV: Due to its active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 30, 2025 [1].
Attack Method and Exploitation Requirements
  • Vulnerability Type: It is a use-after-free vulnerability within the Windows Cloud Files Mini Filter Driver [2] [4].
  • Access Level: Exploitation requires an authorized (authenticated) attacker to perform the attack locally [2].
  • User Interaction: It is generally considered a local privilege escalation (LPE) flaw, meaning it does not typically require remote user interaction to trigger, provided the attacker already has a foothold on the system.
Impact and Usage in Campaigns
  • Impact: Successful exploitation allows an attacker to elevate privileges locally on the affected system [2].
  • Campaigns: While it was actively exploited in the wild, specific details linking it to widespread ransomware campaigns or specific advanced persistent threat (APT) groups are often limited in public disclosures, though its inclusion in the CISA KEV catalog confirms it was used in real-world attacks [1].
Proof-of-Concept (PoC) Availability
  • Publicly available proof-of-concept demonstrations have been identified, often focusing on the failure in the temporal management of memory object lifecycles within the Windows kernel-mode executive [3].
Affected Products and Patch Status
  • Affected Product: The vulnerability resides in the Windows Cloud Files Mini Filter Driver, which is a core component of the Windows operating system [2].
  • Patch Status: Microsoft released security fixes for this vulnerability as part of the December 2025 Patch Tuesday cycle [5] [1]. Users and administrators are advised to ensure all Windows systems are updated to the latest security baseline to mitigate this risk.

Sources

  1. Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit ...

    The exploitation of CVE-2025-62221 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the patch by December 30, 2025. The remaining two zero…

  2. CVE-2025-62221 Detail - NVD

    Description. Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. Metrics. CVSS Version 4.0…

  3. Teodor1231241/DEMO-Proof-of-Concept-Temporal-Memory ...

    The CVE-2025-62221 vulnerability stems from a critical failure in the temporal management of memory object lifecycles within the Windows kernel-mode executive ...

  4. CVE-2025-62221 and CVE-2025-54100: Windows Elevation of ...

    The actively exploited flaw, CVE-2025-62221, is a use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter ... Explore details for CVE-2025-62221 and CVE-2025-54100 zero-day vulnerabilities in Windows products, with an in-depth analysis on our SOC Prime blog.

  5. December 2025 Patch Tuesday Analysis - Fortra

    In-The-Wild & Disclosed CVEs. CVE-2025-62221. A use after free vulnerability in the Windows Cloud Files Mini Filter could allow an authenticated ...

  6. CVE-2025-62221 | Microsoft Windows Vulnerability | UpGuard

    CVE-2025-62221 is a high-severity privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver, currently under active exploitation.

  7. CVE-2025-62221 - Exploits & Severity - Feedly

    Dec 9, 2025 at 10:14 AM / Cyber Security News CVE Assignment NVD published the first details for CVE-2025-62221 Dec 9, 2025 at 10:15 AM Threat Intelligence Report CVE-2025-62221 is a critical elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver, assigned a CVSSv3 score…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed