Critical Windows Cloud Files Mini Filter Vulnerability Exploited in Active Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical zero-day vulnerability in the Windows Cloud Files Mini Filter Driver, identified as CVE-2025-62221. This flaw is actively being exploited in the wild, posing a significant risk to organizations utilizing affected Windows systems.
Understanding CVE-2025-62221
CVE-2025-62221 is a use-after-free vulnerability within the Windows Cloud Files Mini Filter Driver (cldflt.sys). This driver is integral to managing cloud-stored files, enabling the operating system to handle them as local entries without downloading their full content until accessed. The vulnerability allows locally authenticated attackers to escalate their privileges to SYSTEM level by exploiting memory corruption, thereby gaining complete control over the compromised system.
Affected Systems
The vulnerability impacts a broad spectrum of Windows operating systems, including:
– Windows 10 Version 1809
– Windows 11 Version 25H2
– Windows Server 2025
Given the widespread use of these systems, the potential attack surface is extensive, making immediate remediation efforts crucial.
Severity and Exploitation
Microsoft has assigned a CVSS v3.1 base score of 7.8 to this vulnerability, categorizing it as Important. The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) have confirmed that functional exploit code is being used in active attacks to gain SYSTEM privileges on affected machines. The attack complexity is low, requiring no user interaction, but does necessitate local access to the target system. This suggests that the vulnerability is likely being exploited as a secondary stage in attack chains, where adversaries have already established a foothold and seek to escalate their privileges to persist or disable security controls.
Technical Details
The use-after-free vulnerability in the Cloud Files Mini Filter Driver arises from improper handling of memory during file operations. Specifically, the flaw exists in the call chain: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders. Attackers can exploit this by triggering a memory corruption state, allowing them to execute arbitrary code with elevated privileges. This exploitation technique requires multiple coordinated steps, including:
1. Starting the Remote Access Service (rasman) and creating a cloud file sync root using the Cloud Files API.
2. Connecting to the Cloud Files Filter driver through DeviceIoControl calls and establishing a communication port with the filter manager.
3. Creating a thread that continuously modifies a path string in kernel memory, changing it from an innocent filename to a symbolic link pointing to system directories like C:\Windows\System32.
4. Exploiting the race condition window between the security check and file creation to create files with elevated kernel-mode access privileges, bypassing standard access controls.
By writing malicious DLLs into protected system directories and leveraging RPC calls to force privileged services to load the compromised library, attackers can achieve complete system compromise.
CISA’s Recommendations
In response to the active exploitation of CVE-2025-62221, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog as of December 9, 2025, with a mandatory remediation deadline of December 30, 2025. CISA emphasizes the urgency of addressing this vulnerability due to its active exploitation and the potential for complete system compromise.
Mitigation Strategies
To protect systems from potential exploitation, organizations should:
1. Apply Security Updates: Microsoft has released security patches addressing CVE-2025-62221. Organizations should prioritize deploying these updates across all affected systems to mitigate the vulnerability.
2. Verify Patch Deployment: After applying the updates, ensure that the specific build numbers listed in Microsoft’s advisory are reflected on all endpoints to confirm successful mitigation.
3. Monitor for Unusual Activity: Enhance monitoring for signs of privilege escalation attempts and suspicious process behavior on Windows systems.
4. Limit Local Access: Restrict local access to systems to authorized personnel only, reducing the risk of exploitation by limiting potential attack vectors.
5. Educate Users: Train users on recognizing phishing attempts and other social engineering tactics that attackers might use to gain initial access to systems.
Conclusion
The active exploitation of CVE-2025-62221 underscores the critical importance of timely patch management and vigilant monitoring of system activities. Organizations must act swiftly to apply the necessary security updates and implement robust security measures to protect their infrastructure from potential attacks leveraging this vulnerability.
