A high-severity vulnerability has been identified in the Windows Cloud Files Mini Filter Driver, impacting multiple products. This flaw, a use-after-free condition, can be exploited by an attacker who already has local access to a system to gain full administrative privileges, potentially leading to a complete system compromise. Due to confirmed active exploitation in the wild, immediate patching is critical to prevent unauthorized system control.

The vulnerability is a use-after-free (UAF) condition within the Windows Cloud Files Mini Filter Driver (cldflt.sys). An authenticated attacker with standard user privileges can craft a specific sequence of operations that causes the driver to access a memory location after it has been freed. By carefully manipulating system memory before triggering this condition, the attacker can execute arbitrary code in the context of the kernel, thereby escalating their privileges to NT AUTHORITY\SYSTEM.

This vulnerability carries a High severity rating with a CVSS score of 7.8. Successful exploitation allows a low-privilege user to gain complete control over an affected system. This could lead to severe consequences, including the theft or modification of sensitive data, deployment of ransomware, installation of persistent backdoors, and the ability to pivot to other systems on the network. The integrity, confidentiality, and availability of any data on the compromised machine would be lost, posing a significant risk to business operations and data security.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor to all affected systems without delay. After patching, organizations should continue to monitor for any signs of post-patch exploitation attempts and review system and security logs for indicators of compromise that may have occurred prior to patching.

Proactive Monitoring: Security teams should monitor for anomalous system behavior, including unexpected system crashes (BSODs) which could indicate failed exploitation attempts. Monitor Windows Event Logs for unusual driver-related errors or suspicious process creation by non-administrative user accounts. Endpoint Detection and Response (EDR) solutions should be configured to alert on processes attempting to interact with the cldflt.sys driver in an unusual manner or performing privilege escalation techniques.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls to reduce risk. Enforce the principle of least privilege to limit user access, utilize application whitelisting to prevent the execution of unauthorized exploit code, and ensure EDR solutions are in place and tuned to detect and block kernel-level exploitation techniques.

Public Exploit Available: true

Given the high severity, local privilege escalation vector, and confirmed active exploitation, this vulnerability poses a critical threat. We strongly recommend that organizations prioritize the immediate deployment of vendor-supplied patches to all vulnerable systems. The CISA KEV deadline of December 29, 2025, underscores the urgency; all patching activities should be completed well before this date to mitigate the risk of a full system compromise.