Windows Privilege Escalation Flaws Hit CLFS and Cloud Files Drivers
Microsoft disclosed multiple Windows local privilege escalation vulnerabilities affecting kernel-level drivers, including Windows Common Log File System (CLFS) Driver flaws tracked as CVE-2023-23376 and CVE-2023-28252, as well as a Windows Cloud Files Mini Filter Driver flaw tracked as CVE-2025-62454. All three issues were classified as Elevation of Privilege vulnerabilities in Microsoft's Security Update Guide.
The advisories indicate that successful exploitation could allow an attacker who already has access to a target system to gain higher privileges through vulnerable Windows driver components. The affected bugs span separate Windows subsystems but share the same core risk: attackers can abuse low-level driver weaknesses to move from limited access toward more powerful control over compromised machines, reinforcing the need to prioritize Microsoft security updates for Windows kernel and file-system-related components.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2025-62454 in Windows Cloud Files Mini Filter Driver
Microsoft published a Security Update Guide entry for CVE-2025-62454, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
Microsoft discloses CVE-2025-21271 in Windows Cloud Files Mini Filter Driver
Microsoft published a Security Update Guide entry for CVE-2025-21271, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
Microsoft discloses CVE-2024-30085 in Windows Cloud Files Mini Filter Driver
Microsoft published a Security Update Guide entry for CVE-2024-30085, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
Microsoft discloses CVE-2023-36696 in Windows Cloud Files Mini Filter Driver
Microsoft published a Security Update Guide entry for CVE-2023-36696, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
Microsoft discloses CVE-2023-28252 in Windows CLFS Driver
Microsoft published a Security Update Guide entry for CVE-2023-28252, another elevation of privilege vulnerability in the Windows Common Log File System Driver.
Microsoft discloses CVE-2023-23376 in Windows CLFS Driver
Microsoft published a Security Update Guide entry for CVE-2023-23376, an elevation of privilege vulnerability in the Windows Common Log File System Driver.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CVE-2025-21271 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-30085 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-30085 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36696 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2023-28252 - Security Update Guide - Microsoft - Windows Common Log File System Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-23376 - Security Update Guide - Microsoft - Windows Common Log File System Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows CLFS Elevation-of-Privilege Flaws Patched by Microsoft
Microsoft published security advisories for two **Windows Common Log File System (CLFS) Driver** elevation-of-privilege vulnerabilities, tracked as **`CVE-2022-37969`** and **`CVE-2023-36424`**. Both issues affect the CLFS component in Windows and could allow an attacker to gain higher privileges on a targeted system after successful exploitation. The advisories were released through Microsoft's Security Update Guide and indicate that the flaws were addressed in separate security updates. The repeated appearance of privilege-escalation bugs in the **CLFS driver** highlights a sensitive Windows kernel-area component that defenders should prioritize for patching and monitoring, especially on endpoints where local code execution could be chained into **SYSTEM-level** access.
Jun 23, 2026
Microsoft Patches Multiple Windows CLFS Driver Privilege Escalation Flaws
Microsoft disclosed and patched multiple **elevation-of-privilege vulnerabilities** in the **Windows Common Log File System (CLFS) Driver**, including `CVE-2026-40407`, `CVE-2025-62470`, and `CVE-2025-32713`. The most detailed advisory, for `CVE-2026-40407`, describes a **heap-based buffer overflow** (`CWE-122`) that allows a locally authenticated low-privilege attacker to escalate to **SYSTEM** without user interaction. Microsoft rated `CVE-2026-40407` as **Important** with a **CVSS 3.1 score of 7.8**, citing **high** impact to confidentiality, integrity, and availability. The company said the flaw had **not** been publicly disclosed and was **not** being exploited in the wild at the time of publication, assessed exploitation as unlikely, and released an official security update to remediate the issue; the related CLFS advisories indicate a continuing pattern of privilege-escalation risk in this Windows component.
May 25, 2026
Microsoft Patches Windows Privilege Escalation Flaws in CLFS Driver and Winlogon
Microsoft published security updates for multiple Windows local privilege escalation vulnerabilities, including **CVE-2024-49138** in the **Windows Common Log File System (CLFS) Driver** and **CVE-2024-30066** in **Winlogon**. Both issues could allow an attacker who already has access to a target system to elevate privileges, increasing the risk of full system compromise and follow-on activity such as credential theft, defense evasion, or lateral movement. The advisories were released through Microsoft's Security Update Guide and identify the affected components as core parts of Windows used for logging and authentication workflows. Organizations running Windows systems should prioritize applying the relevant Microsoft patches, validate remediation across endpoints and servers, and monitor for signs of post-compromise privilege escalation involving `clfs.sys`, Winlogon, or other abnormal attempts to obtain elevated execution on patched and unpatched hosts.
May 25, 2026