Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-62221

Published 2025-12-09
Updated 5 months ago
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.17763.8146
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.8
/ 10
High
Severity Details
Base score
7.8 High
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-62221 is a high-severity privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver, currently under active exploitation.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1809 * 10.0.17763.8146 vulnerable
windows_10_1809 * 10.0.17763.8146 vulnerable
windows_10_21h2 * 10.0.19044.6691 vulnerable
windows_10_22h2 * 10.0.19045.6691 vulnerable
windows_11_23h2 * 10.0.22631.6345 vulnerable
windows_11_24h2 * 10.0.26100.7392 vulnerable
windows_11_25h2 * 10.0.26200.7392 vulnerable
windows_server_2019 * 10.0.17763.8146 vulnerable
windows_server_2022 * 10.0.20348.4467 vulnerable
windows_server_2022_23h2 * 10.0.25398.2025 vulnerable
windows_server_2025 * 10.0.26100.7392 vulnerable

Related weakness (CWE)

CWE-416

Remediation plan

1

Apply official patches

Download and install the latest security updates from Microsoft specifically addressing the January 2025 (or later) cumulative update cycle to patch the cldflt.sys driver.

2

Update affected systems

Ensure Windows 10, Windows 11, and Windows Server systems are updated to versions exceeding the vulnerable builds, such as build 10.0.19045.6691 for Windows 10 22H2 or 10.0.26100.7392 for Windows 11 24H2.

3

Restrict access

Limit local interactive login privileges to essential personnel only. Since this vulnerability requires local access, enforcing the principle of least privilege (PoLP) significantly reduces the available attack surface.

4

Monitor for exploitation

Utilize Endpoint Detection and Response (EDR) solutions to monitor for suspicious process creation originating from the Cloud Files Mini Filter Driver and track unauthorized attempts to escalate to SYSTEM privileges.

Detection Guidance

Detecting exploitation of CVE-2025-62221 involves monitoring for system instability or crashes related to the cldflt.sys driver, often logged as bug checks 0x3B or 0x9E. Security teams should use EDR tools to hunt for unusual memory manipulation patterns or processes spawned by standard users that suddenly exhibit SYSTEM-level permissions. Watch for unauthorized calls to the Cloud Files API that deviate from normal cloud-sync application behavior.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62221 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial