Microsoft Patches Windows Cloud Files Mini Filter Driver Privilege Escalation Flaws
Microsoft disclosed CVE-2025-62221 and CVE-2025-62454, two elevation-of-privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver, and released security updates to address them. The company identified CVE-2025-62221 as an Important flaw caused by a use-after-free condition (CWE-416) that could allow a local attacker with low privileges to gain SYSTEM privileges without user interaction.
Microsoft assigned CVE-2025-62221 a CVSS v3.1 score of 7.8 and said exploitation had been detected in the wild at the time of disclosure, although the vulnerability had not been publicly disclosed beforehand. Advisory listings for CVE-2025-62454 also classify it as a Windows Cloud Files Mini Filter Driver elevation-of-privilege issue, indicating multiple privilege-escalation weaknesses in the same Windows component were addressed in the release.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes CVE-2025-62454 advisory entry
Microsoft also published Security Update Guide entries for CVE-2025-62454, another Windows Cloud Files Mini Filter Driver elevation-of-privilege vulnerability. The provided references do not include technical details beyond the advisory publication itself.
Microsoft discloses and patches CVE-2025-62221
Microsoft published an advisory for CVE-2025-62221, an Important Windows Cloud Files Mini Filter Driver elevation-of-privilege vulnerability caused by a use-after-free flaw. The company said the bug could be exploited locally by a low-privileged attacker to gain SYSTEM privileges, noted exploitation in the wild, and made a fix available.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2025-62221 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62221 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62454 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62454 - Security Update Guide - Microsoft - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Cloud Files Mini Filter Driver Privilege Escalation Vulnerability (CVE-2025-62221)
Microsoft released a security update in December 2025 addressing a critical privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver, tracked as CVE-2025-62221. This flaw allows authenticated local attackers to elevate privileges to SYSTEM by exploiting a use-after-free condition in the kernel driver, which arises when the driver fails to reset a pointer after releasing a kernel object. The vulnerability has a CVSS score of 7.8 and has been actively exploited in the wild, prompting urgent patching recommendations from security researchers and vendors. The December 2025 Patch Tuesday included fixes for 57 vulnerabilities across Microsoft products, but CVE-2025-62221 was highlighted as one of the most severe due to its exploitation status and potential impact on enterprise environments. Security advisories emphasized the need for immediate patching, as the vulnerability was included in CISA's Known Exploited Vulnerabilities catalog and listed among the most exploited vulnerabilities of the year. Organizations are urged to apply the update promptly to mitigate the risk of privilege escalation attacks leveraging this flaw.
Mar 21, 2026
Microsoft Patches Multiple Windows Use-After-Free Privilege Escalation Flaws
Microsoft released fixes for several **Windows elevation-of-privilege vulnerabilities** affecting **Win32k**, **Windows Telephony Service**, **Desktop Window Manager**, and the **Windows Cloud Files Mini Filter Driver**. The disclosed flaws include `CVE-2026-34347`, `CVE-2026-42825`, `CVE-2026-27923`, and `CVE-2026-35418`, and are all tied to **use-after-free** conditions, with some cases also involving race conditions such as time-of-check time-of-use behavior. Microsoft said successful exploitation could let a locally authenticated attacker with low privileges gain **SYSTEM** access without user interaction. The vulnerabilities were rated **Important** with **CVSS 3.1 scores ranging from 7.0 to 7.8**, and Microsoft assessed exploitation as **less likely or unlikely** because several attacks require winning a race condition. At the time of disclosure, Microsoft reported **no public disclosure and no evidence of active exploitation** for the documented 2026 flaws, and stated that official security updates were available. Additional Microsoft advisories also reference related Windows and Microsoft Brokering File System elevation-of-privilege issues, including `CVE-2026-24285`, `CVE-2025-32712`, `CVE-2025-21372`, `CVE-2025-21315`, and `CVE-2025-59189`, though public technical details for those entries were limited.
May 25, 2026
Windows Privilege Escalation Flaws Hit CLFS and Cloud Files Drivers
Microsoft disclosed multiple Windows local privilege escalation vulnerabilities affecting kernel-level drivers, including **Windows Common Log File System (CLFS) Driver** flaws tracked as `CVE-2023-23376` and `CVE-2023-28252`, as well as a **Windows Cloud Files Mini Filter Driver** flaw tracked as `CVE-2025-62454`. All three issues were classified as **Elevation of Privilege** vulnerabilities in Microsoft's Security Update Guide. The advisories indicate that successful exploitation could allow an attacker who already has access to a target system to gain higher privileges through vulnerable Windows driver components. The affected bugs span separate Windows subsystems but share the same core risk: attackers can abuse low-level driver weaknesses to move from limited access toward more powerful control over compromised machines, reinforcing the need to prioritize Microsoft security updates for Windows kernel and file-system-related components.
May 25, 2026