“`html
Microsoft has issued critical security patches to tackle a zero-day flaw in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that is currently being leveraged for malicious purposes.
Designated with the identifier CVE-2025-62221, this privilege escalation issue impacts various Windows operating systems, ranging from Windows 10 Version 1809 to the newest Windows 11 Version 25H2 and Windows Server 2025.
The flaw has been assessed as Important with a CVSS v3.1 base rating of 7.8, and Microsoft’s advisory indicates that attackers are employing functional exploit code to attain SYSTEM privileges on affected systems.
This vulnerability is characterized as a Use-After-Free flaw within the Cloud Files Mini Filter Driver, a kernel module that manages “placeholders” and synchronization for cloud storage solutions like OneDrive.
This driver permits the operating system to perceive cloud-stored files as local entities without downloading their entire content, retrieving them only upon access.
The vulnerability enables a locally authenticated, low-privilege attacker to induce a memory-corruption condition, thereby permitting them to execute arbitrary code with elevated system privileges.
Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) recognized the discovery, remarking that despite the low complexity of the attack and no necessity for user interaction, the attacker must have gained local access to the target system.
In contrast to remote code execution vulnerabilities, this flaw is likely utilized as a subsequent phase in attack sequences, where adversaries have already gained initial access and aim to escalate their privileges for persistence or to neutralize security measures.
Affected Versions and Security Updates
The table below delineates the impacted Windows versions along with the associated Knowledge Base (KB) articles released on December 9, 2025. Administrators should prioritize updating these systems without delay, given the confirmed active exploitation.
| Product Family | Version / Edition | KB Article (Security Update) | Build Number |
|---|---|---|---|
| Windows 11 & Server 2025 | Version 25H2 (x64/ARM64) | KB5072033 / KB5072014 | 10.0.26200.7462 |
| Version 24H2 (x64/ARM64) | KB5072033 / KB5072014 | 10.0.26100.7462 | |
| Version 23H2 (x64/ARM64) | KB5071417 | 10.0.22631.6345 | |
| Server 2025 (Core) | KB5072033 | 10.0.26100.7462 | |
| Windows 10 | Version 22H2 (x64/ARM64/32-bit) | KB5071546 | 10.0.19045.6691 |
| Version 21H2 (x64/ARM64/32-bit) | KB5071546 | 10.0.19044.6691 | |
| Version 1809 (x64/32-bit) | KB5071544 | 10.0.17763.8146 | |
| Windows Server | Server 2022 (Standard & Core) | KB5071547 / KB5071413 | 10.0.20348.4529 |
| Server 2022, 23H2 Edition | KB5071542 | 10.0.25398.2025 | |
| Server 2019 (Standard & Core) | KB5071544 | 10.0.17763.8146 |
This zero-day flaw poses a considerable threat to organizations that depend on Windows infrastructure, particularly in light of the confirmed exploitation in real-world scenarios.
The “Official Fix” remediation level indicates that standard security updates are adequate to rectify the issue, and no temporary alternatives have been publicized.
Security teams should ensure that the exact build numbers specified above are present on their endpoints following the update installation to confirm successful mitigation.
The lack of necessary user interaction renders this an appealing target for automated malware and advanced persistent threats (APTs) active within a network.
“`