Microsoft has urgently released security updates to address a critical zero-day vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys), identified as CVE-2025-62221. This elevation of privilege flaw is actively exploited in the wild, affecting a broad spectrum of Windows operating systems, from Windows 10 Version 1809 to the latest Windows 11 Version 25H2 and Windows Server 2025.
Understanding the Vulnerability
CVE-2025-62221 is classified as a Use-After-Free vulnerability within the Cloud Files Mini Filter Driver, a kernel component integral to managing placeholders and synchronization for cloud storage services like OneDrive. This driver enables the operating system to treat cloud-stored files as local entries without downloading their full content, hydrating them only upon access.
The flaw allows a locally authenticated, low-privilege attacker to trigger a memory corruption state, subsequently enabling the execution of arbitrary code with the highest system privileges. Microsoft’s advisory confirms that attackers are utilizing functional exploit code to gain SYSTEM privileges on compromised machines.
Scope of Impact
The vulnerability affects a wide range of Windows versions, including:
– Windows 11 & Server 2025 (Versions 25H2, 24H2, 23H2)
– Windows 10 (Versions 22H2, 21H2, 1809)
– Windows Server (2022 Standard & Core, 2022 23H2 Edition, 2019 Standard & Core)
Given the confirmed active exploitation status, administrators are urged to prioritize patching these systems immediately.
Technical Details
The vulnerability resides in the Cloud Files Mini Filter Driver’s handling of file path validation during placeholder file creation operations. Specifically, the flaw exists in the call chain: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders.
Microsoft previously patched a similar file write vulnerability reported by Project Zero in 2020. However, the current implementation contains a critical logical flaw. While Microsoft added code to prevent backslash ($$) and colon (:) characters in file paths to block symbolic link attacks, the validation check can be bypassed through a Time-of-Check Time-of-Use (TOCTOU) race condition.
Attackers can modify the path string in kernel memory between the validation check and the actual file operation, allowing malicious paths to pass through security controls.
Exploitation Mechanism
The exploitation technique requires multiple coordinated steps:
1. Initiate Remote Access Service: Attackers start the Remote Access Service (rasman) and create a cloud file sync root using the Cloud Files API.
2. Connect to Cloud Files Filter Driver: They connect to the Cloud Files Filter driver through DeviceIoControl calls and establish a communication port with the filter manager.
3. Modify Path String in Kernel Memory: The attacker creates a thread that continuously modifies a path string in kernel memory, changing it from an innocent filename to a symbolic link pointing to system directories like C:\Windows\System32.
4. Exploit Race Condition: While one thread performs file-creation operations, another thread rapidly modifies the memory location, exploiting the race condition window between the security check and file creation.
When the timing aligns perfectly, the driver creates files with elevated kernel-mode access privileges, bypassing standard access controls. Attackers weaponize this by writing malicious DLLs, such as rasmxs.dll, into protected system directories. Leveraging RPC calls to force privileged services to load the compromised library results in complete system compromise.
Mitigation and Recommendations
Microsoft has released security updates to address this vulnerability. Administrators should apply the following patches corresponding to their Windows versions:
– Windows 11 & Server 2025:
– Version 25H2 (x64/ARM64): KB5072033 / KB5072014
– Version 24H2 (x64/ARM64): KB5072033 / KB5072014
– Version 23H2 (x64/ARM64): KB5071417
– Server 2025 (Core): KB5072033
– Windows 10:
– Version 22H2 (x64/ARM64/32-bit): KB5071546
– Version 21H2 (x64/ARM64/32-bit): KB5071546
– Version 1809 (x64/32-bit): KB5071544
– Windows Server:
– Server 2022 (Standard & Core): KB5071547 / KB5071413
– Server 2022, 23H2 Edition: KB5071542
– Server 2019 (Standard & Core): KB5071544
Security teams should verify that the specific build numbers are reflected on their endpoints after the update deployment to ensure successful mitigation.
Broader Implications
This zero-day vulnerability presents a significant risk to organizations relying on Windows infrastructure, particularly given the confirmed exploitation in the wild. The absence of required user interaction makes this an attractive vector for automated malware and advanced persistent threats (APTs) operating within a network.
The Official Fix remediation level indicates that standard security updates are sufficient to resolve the issue, and no temporary workarounds have been published.
Conclusion
The discovery and active exploitation of CVE-2025-62221 underscore the critical importance of timely patch management and vigilant security practices. Organizations must prioritize applying the latest security updates to protect their systems from potential compromise.
Twitter Post:
Urgent: Microsoft patches critical zero-day in Windows Cloud Files Mini Filter Driver (CVE-2025-62221). Immediate update recommended to prevent privilege escalation attacks. #CyberSecurity #WindowsUpdate #ZeroDay
Focus Key Phrase:
Windows Cloud Files Mini Filter Driver zero-day vulnerability
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
