Windows Cloud Files Mini Filter Driver Privilege Escalation Vulnerability (CVE-2025-62221)
Microsoft released a security update in December 2025 addressing a critical privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver, tracked as CVE-2025-62221. This flaw allows authenticated local attackers to elevate privileges to SYSTEM by exploiting a use-after-free condition in the kernel driver, which arises when the driver fails to reset a pointer after releasing a kernel object. The vulnerability has a CVSS score of 7.8 and has been actively exploited in the wild, prompting urgent patching recommendations from security researchers and vendors.
The December 2025 Patch Tuesday included fixes for 57 vulnerabilities across Microsoft products, but CVE-2025-62221 was highlighted as one of the most severe due to its exploitation status and potential impact on enterprise environments. Security advisories emphasized the need for immediate patching, as the vulnerability was included in CISA's Known Exploited Vulnerabilities catalog and listed among the most exploited vulnerabilities of the year. Organizations are urged to apply the update promptly to mitigate the risk of privilege escalation attacks leveraging this flaw.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA sets December 30 deadline to remediate CVE-2025-62221
Alongside the KEV listing, CISA set a remediation deadline of 2025-12-30 for federal agencies to address the Windows Cloud Files Mini Filter vulnerability. The agency warned that unpatched systems faced a high risk of privilege escalation and broader compromise.
CISA adds CVE-2025-62221 to the KEV catalog
CISA added CVE-2025-62221 to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency required federal civilian agencies to remediate the issue under BOD 22-01.
Microsoft discloses CVE-2025-54100 PowerShell RCE zero-day
Microsoft also disclosed CVE-2025-54100, a remote code execution vulnerability in Windows PowerShell. The flaw could be exploited through social engineering, but the references state it had not yet been observed in active attacks at the time of disclosure.
Microsoft discloses CVE-2025-62221 as an exploited Windows zero-day
Microsoft's December updates included CVE-2025-62221, a use-after-free elevation-of-privilege flaw in the Windows Cloud Files Mini Filter Driver. The vulnerability was reported as actively exploited in the wild and could allow a local attacker to gain SYSTEM privileges.
Microsoft releases December 2025 security updates for 57 vulnerabilities
In December 2025, Microsoft issued its monthly security updates addressing 57 vulnerabilities across Windows, Office, Exchange Server, Azure, and related products. The release included multiple critical flaws and zero-days, and Microsoft urged organizations to patch affected systems immediately.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA Warns of Windows Cloud Files Mini Filter 0-Day Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceTop 20 Most Exploited Vulnerabilities of 2025: A Comprehensive Analysis
cybersecuritynews.com
Open sourceCVE-2025-62221 and CVE-2025-54100: Windows Elevation of Privilege and RCE Zero-Day Vulnerabilities Patched
socprime.com
Open sourceMicrosoft’s December Security Update of High-Risk Vulnerability Notice for Multiple Products
nsfocusglobal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Windows Cloud Files Mini Filter Driver Privilege Escalation Flaws
Microsoft disclosed **CVE-2025-62221** and **CVE-2025-62454**, two elevation-of-privilege vulnerabilities in the **Windows Cloud Files Mini Filter Driver**, and released security updates to address them. The company identified **CVE-2025-62221** as an **Important** flaw caused by a **use-after-free** condition (`CWE-416`) that could allow a local attacker with low privileges to gain **SYSTEM** privileges without user interaction. Microsoft assigned **CVE-2025-62221** a **CVSS v3.1 score of 7.8** and said exploitation had been detected **in the wild** at the time of disclosure, although the vulnerability had not been publicly disclosed beforehand. Advisory listings for **CVE-2025-62454** also classify it as a Windows Cloud Files Mini Filter Driver elevation-of-privilege issue, indicating multiple privilege-escalation weaknesses in the same Windows component were addressed in the release.
Jun 3, 2026
Active Exploitation of Windows Cloud Files Mini Filter Driver and WinRAR Vulnerabilities
Microsoft released security updates addressing 56 vulnerabilities across its Windows platform, including a critical use-after-free flaw in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221) that has been actively exploited in the wild. This vulnerability allows local attackers to escalate privileges to SYSTEM level, posing a significant risk to Windows systems, especially those using cloud storage features like OneDrive, Google Drive, or iCloud. The December 2025 Patch Tuesday also included fixes for other critical and important vulnerabilities, with Microsoft having patched over 1,000 CVEs for the second consecutive year. CISA has added both CVE-2025-62221 and CVE-2025-5618 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation and the urgent need for remediation. CVE-2025-5618 is a directory traversal remote code execution vulnerability in WinRAR, allowing attackers to craft malicious archives that bypass directory restrictions and execute arbitrary code upon extraction. Both vulnerabilities are being leveraged in real-world attacks, prompting federal agencies and organizations to prioritize patching to prevent persistence, lateral movement, and data exfiltration by threat actors.
Mar 21, 2026
Windows Privilege Escalation Flaws Hit CLFS and Cloud Files Drivers
Microsoft disclosed multiple Windows local privilege escalation vulnerabilities affecting kernel-level drivers, including **Windows Common Log File System (CLFS) Driver** flaws tracked as `CVE-2023-23376` and `CVE-2023-28252`, as well as a **Windows Cloud Files Mini Filter Driver** flaw tracked as `CVE-2025-62454`. All three issues were classified as **Elevation of Privilege** vulnerabilities in Microsoft's Security Update Guide. The advisories indicate that successful exploitation could allow an attacker who already has access to a target system to gain higher privileges through vulnerable Windows driver components. The affected bugs span separate Windows subsystems but share the same core risk: attackers can abuse low-level driver weaknesses to move from limited access toward more powerful control over compromised machines, reinforcing the need to prioritize Microsoft security updates for Windows kernel and file-system-related components.
May 25, 2026