Windows Cloud Files Mini Filter Driver Use-After-Free Privilege Escalation
CVE-2025-62221 is an elevation-of-privilege vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys). Microsoft describes the flaw as a use-after-free condition in this driver that can be exploited by an authorized attacker locally. Successful exploitation allows the attacker to elevate privileges from a low-privileged context to SYSTEM. Public reporting indicates the vulnerable component is broadly present on supported Windows systems, including Windows 10 and later, because the Cloud Files minifilter is part of the OS and not dependent on third-party sync clients being installed. Microsoft reported exploitation in the wild at disclosure, but did not publish technical details of the triggering code path or exploit method.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
Repository purpose: a lab/demo PoC that *simulates* a Windows cldflt.sys use-after-free (CVE-2025-62221 per README) using a Python TCP server and staged Python clients. Despite the Windows-kernel narrative, the actual code implements a userland vulnerable object lifecycle and demonstrates control-flow hijack leading to command execution on the server. Core exploit capability (as implemented): - Network-driven UAF simulation: client causes server to keep a dangling reference to a freed object, then reuses that object memory/state to load attacker data (malware.json) and overwrite a function pointer-like handler. - Remote command execution on the server: in server.py, once the handler is overwritten to malicious_handler, the final trigger executes os.popen(self.command) and returns output to the client. Protocol / exploitation flow (server.py + 1..6 scripts): 1) action=upload: creates FileObject, stores it in FILES, and sets global DANGLING_REF to the object. 2) action=delete: deletes FILES[name] but DANGLING_REF still points to the freed object (simulated UAF). 3) action=dangling: confirms dangling reference exists. 4) action=upload_malware: repurposes DANGLING_REF fields (name, command) by reading malware.json. 5) action=overwrite: sets DANGLING_REF.handler = DANGLING_REF.malicious_handler (control-flow hijack). 6) action=execute: calls DANGLING_REF.handler(), executing the command and returning output. Alternative implementation (cloud.py + user.py): - cloud.py implements a slightly different JSON API with per-upload UUID refs and actions: upload/delete/upload_malware/access. It simulates heap reuse by inserting a crafted FileContext into cldflt.heap[ref] after free. - user.py is an automated client for cloud.py: uploads, deletes, uploads malware using stale ref, then triggers access to execute the malicious handler (simulated execution string in cloud.py; real execution occurs in server.py). Repository structure highlights: - server.py: primary vulnerable service; contains the only real command execution sink (os.popen). - cloud.py: alternate simulated cldflt.sys service (more explicit heap/ref model) but only prints simulated execution. - user.py: automated exploit client for cloud.py. - 1_AllocatedFileObject.py .. 6_MaliciousHandlerExecuted.py: staged client scripts for server.py demonstrating each exploitation phase. - topo.py: Mininet topology builder (cloud 10.0.0.1, user 10.0.0.2) intended to run the lab. - malware.json: payload command (default: cat /etc/passwd). - README.md: detailed narrative mapping the simulation to a kernel UAF/token stealing storyline; includes run instructions and a demo link. Notable inconsistencies / observations: - README references run_all.py and 1.py..6.py, but repository listing shows 1_AllocatedFileObject.py..6_MaliciousHandlerExecuted.py and no run_all.py. - topo.py attempts to run "python3 server/server.py &" but server.py appears at repo root in the provided listing. - The CVE/kernel exploitation described is not implemented as a real Windows kernel exploit here; the code is a networked simulation of UAF concepts.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
87 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver component that Microsoft patched in December 2025 and said was exploited by unknown threat actors.
An exploited-in-the-wild elevation-of-privilege vulnerability in the Windows Cloud Files Mini Filter Driver involving parsing of user-controlled reparse point metadata, enabling privileged file operations such as overwriting protected system files.
An elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver reported as exploited and included in CISA KEV.
A use-after-free vulnerability in the Windows cloud files mini filter driver, actively exploited to escalate privileges to SYSTEM after initial code execution. Easy to exploit with low skill requirements.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.