CVE-2025-62221

What is the Windows Cloud Files Mini Filter Driver?

The Windows Cloud Files Mini Filter Driver (cldflt.sys) is a kernel-mode driver that manages the OneDrive cloud sync layer for Windows. It implements Windows' Cloud Files API — the abstraction layer that allows cloud storage providers (OneDrive, Dropbox, Box, etc.) to present cloud-hosted files as local "placeholder" files in Windows Explorer. When a user opens a placeholder file, cldflt.sys coordinates with the sync provider to download the actual file contents on demand.

As a kernel-mode mini filter driver, cldflt.sys operates with full kernel privileges and processes complex userland-initiated I/O requests — making it an attack surface for kernel-level vulnerabilities reachable from unprivileged user processes.

Overview

CVE-2025-62221 is a use-after-free (CWE-416) in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that allows a locally authenticated low-privilege attacker to escalate to SYSTEM. It was disclosed as a zero-day in the December 2025 Patch Tuesday, with CISA adding it to the KEV catalog the same day — indicating active exploitation before the patch was released. The Low attack complexity (AC:L) makes this a straightforward and reliable local privilege escalation.

Affected Versions

Note: Systems where OneDrive/Cloud Files sync is disabled may still have cldflt.sys loaded. The driver is present in all modern Windows installations.

Technical Details

The use-after-free (CWE-416) occurs in cldflt.sys during the processing of cloud file placeholder I/O operations. When a user-space process initiates operations on a cloud file placeholder (e.g., opening, reading, or querying metadata), cldflt.sys allocates kernel objects to represent the operation. A race or ordering error allows this kernel object to be freed while a reference to it remains in another data structure that is subsequently accessed.

The attacker triggers the UAF by carefully sequencing operations on cloud file placeholder files — reachable via normal Win32 file API calls from any user-level process. By controlling the heap layout (heap grooming), the attacker ensures their controlled data occupies the freed memory region. When the stale pointer is dereferenced, the kernel processes attacker-controlled data, enabling overwrite of security-sensitive kernel structures (process token privileges) to achieve SYSTEM-level access.

Discovery

Exploited as a zero-day before December 9, 2025. Reporter attribution not publicly disclosed.

Exploitation Context

Microsoft confirmed zero-day exploitation and disclosed simultaneously with the patch in December 2025 Patch Tuesday. CISA added the vulnerability to the KEV catalog on December 9 with a December 30 deadline — a tight window over the holiday period. Local privilege escalation zero-days are used to complete attack chains from initial access to full system control.

CVE-2025-62221 is the third Windows local privilege escalation zero-day in Q4 2025 (after CVE-2025-59230 in October and CVE-2025-62215 in November), reflecting a sustained pattern of kernel-level zero-day exploitation across the period.

Remediation

1. Apply the December 2025 cumulative update for your Windows version. The CISA deadline was December 30, 2025.
2. No workarounds exist — disabling OneDrive or cloud sync does not remove cldflt.sys from the kernel and does not mitigate the vulnerability.
3. Prioritize servers and multi-user systems — systems where multiple users or RDP sessions are active have higher probability of hosting a low-privilege attacker who would use this LPE.
4. Enable Windows Defender Exploit Guard and core isolation features where supported on your hardware.
5. Audit for pre-patch exploitation indicators: look for processes with unexpected SYSTEM privileges spawned from standard user processes in the Windows Event Log around and before December 9, 2025.