CVE-2025-62221

cldflt.sys — use-after-free in Cloud Files Mini Filter allows SYSTEM escalation

Exploited in the Wild

Actively exploited zero-day. Broad impact across VDIs, workstations, and enterprise hosts.

Summary

Field	Value
Driver	cldflt.sys (Cloud Files Mini Filter Driver)
Vulnerability Class	Use-After-Free
CVSS	7.8
Exploited ITW	Yes
Patch Date	December 9, 2025

Root Cause

Use-after-free in the Cloud Files Mini Filter driver, which handles cloud storage synchronization (OneDrive, SharePoint, etc.). The driver mismanages object lifetimes during filter operations, so a concurrent I/O path can dereference a freed filter context.

This is the fourth cldflt.sys vulnerability in KernelSight, following CVE-2023-36036, CVE-2024-30085, and CVE-2024-49114.

Exploitation

A local authenticated attacker triggers the UAF to escalate to SYSTEM. Cloud file sync runs across most enterprise environments, making VDI deployments, shared workstations, and domain-joined hosts all vulnerable.

Exploitation Primitive

Filter context UAF in cldflt.sys → kernel memory corruption → SYSTEM

References

• MSRC Advisory
• CSO Online — December Patch Tuesday
• Tenable — December 2025 Patch Tuesday
• CrowdStrike — December 2025 Analysis