A zero-day vulnerability in the Windows Cloud Files Mini Filter driver (cldflt.sys) is currently being actively exploited. Microsoft has released urgent security updates to address this vulnerability.
The vulnerability is classified as high, according to the CVSS v3.1 base score of 7.8; furthermore, according to the advisory released by Microsoft, it appears that attackers are using working exploits on the machines in order to gain SYSTEM privileges.
A wide range of Windows operating systems, from the latest versions of Windows 11, such as 25H2, and Windows Server 2025, up to Windows 10 version 1809, are affected by this privilege escalation (PLE) vulnerability.
The vulnerability is described as a Use-After-Free weakness within the Cloud Files Mini Filter Driver, a kernel component responsible for managing “placeholders” and synchronization for cloud storage services like OneDrive.
Unlike remote code execution (RCE) flaws, this vulnerability is exploited as a secondary step in attack chains, where adversaries have already gained a foothold in the system and attempt to escalate their privileges to persist or disable security controls.
The flaw allows a locally authenticated, low-privileged attacker to trigger a memory corruption state, allowing them to subsequently execute arbitrary code with higher system privileges.
The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified the bug, noting that while the complexity of the attack is low and requires no user interaction, the attacker must have established local access to the target computer.
Administrators should prioritize patching these systems immediately, given the confirmed state of active exploitation.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
