Microsoft has released urgent security updates to address a zero-day vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that is currently being exploited in the wild.
Assigned the identifier CVE-2025-62221, this elevation of privilege flaw affects a wide range of Windows operating systems, from Windows 10 Version 1809 to the latest Windows 11 Version 25H2 and Windows Server 2025.
The vulnerability has been rated Important with a CVSS v3.1 base score of 7.8, and Microsoft’s advisory confirms that attackers are using functional exploit code to gain SYSTEM privileges on compromised machines.
The vulnerability is described as a Use-After-Free weakness within the Cloud Files Mini Filter Driver, a kernel component responsible for managing “placeholders” and synchronization for cloud storage services like OneDrive.
This driver enables the operating system to treat cloud-stored files as local entries without downloading their full content, hydrating them only on access.
The flaw allows a locally authenticated, low-privilege attacker to trigger a memory-corruption state, subsequently allowing them to execute arbitrary code with the highest system privileges.
Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) acknowledged the discovery, noting that while the attack complexity is low and requires no user interaction, the attacker must have established local access to the target machine.
Unlike remote code execution flaws, this vulnerability is likely being utilized as a secondary stage in attack chains, where adversaries have already gained a foothold and seek to escalate their privileges to persist or disable security controls.
Affected Versions and Security Updates
The following table outlines the affected Windows versions and the corresponding Knowledge Base (KB) articles released on December 9, 2025. Administrators should prioritize patching these systems immediately, given the confirmed active exploitation status.
| Product Family | Version / Edition | KB Article (Security Update) | Build Number |
|---|---|---|---|
| Windows 11 & Server 2025 | Version 25H2 (x64/ARM64) | KB5072033 / KB5072014 | 10.0.26200.7462 |
| Version 24H2 (x64/ARM64) | KB5072033 / KB5072014 | 10.0.26100.7462 | |
| Version 23H2 (x64/ARM64) | KB5071417 | 10.0.22631.6345 | |
| Server 2025 (Core) | KB5072033 | 10.0.26100.7462 | |
| Windows 10 | Version 22H2 (x64/ARM64/32-bit) | KB5071546 | 10.0.19045.6691 |
| Version 21H2 (x64/ARM64/32-bit) | KB5071546 | 10.0.19044.6691 | |
| Version 1809 (x64/32-bit) | KB5071544 | 10.0.17763.8146 | |
| Windows Server | Server 2022 (Standard & Core) | KB5071547 / KB5071413 | 10.0.20348.4529 |
| Server 2022, 23H2 Edition | KB5071542 | 10.0.25398.2025 | |
| Server 2019 (Standard & Core) | KB5071544 | 10.0.17763.8146 |
This zero-day vulnerability presents a significant risk to organizations relying on Windows infrastructure, particularly given the confirmed exploitation in the wild.
The “Official Fix” remediation level indicates that standard security updates are sufficient to resolve the issue, and no temporary workarounds have been published.
Security teams should verify that the specific build numbers listed above are reflected on their endpoints after the update deployment to ensure successful mitigation.
The absence of required user interaction makes this an attractive vector for automated malware and advanced persistent threats (APTs) operating within a network.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
