Targeted Sectors

·         General Windows users

·         Potentially government and IT sectors due to likely APT involvement.

Targeted Countries

·         Likely global

BLUF

An actively exploited EoP vulnerability in the Windows Cloud Files Mini Filter Driver allows an attacker with basic user access to gain SYSTEM privileges, typically as part of a multi-stage attack.

Date of First Reported Activity

·         Unknown but appears to have been prior to December 10, 2025

Date of Last Reported Activity Update

·         December 10, 2025.

CVEs and CVSS Vectors for 3.1:

CVE-2025-62221

CVSS:3.1

·         (7.8) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Nessus ID

·         277987

o   KB5071544: Windows 10 version 1809 / Windows Server 2019 Security Update

·         277988

o   KB5071546: Windows 10 version 21H2 / Windows 10 Version 22H2 Security Update

·         277996

o   KB5071417: Windows 11 version 22H2 / Windows 11 version 23H2 Security Update

CISA patch by date

·         December 30, 2025

Patching/Mitigation Data

Patch release date

·         December 10, 2025

URL to Patch information

·         hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221

APT Names

This has not been publicly disclosed but APT involvement is suspected.

Associated Criminal Organization Names

None reported

IOCs

·         These have not been publicly released at the time.

TTPs

·         TA0004 Privilege Escalation

·         T1068 Privilege Escalation

·         TA0002 Execution

·         TA0003 Persistence

·         TA0008 Lateral Movement

Malware Names

·         None reported in direct association with this specific vulnerability's exploitation phase.

Suggested rules / potential hunts

Suricata Rules

Generic rules for privilege escalation may exist, but specific rules for this zero-day were not provided in the search results.

Sentinel Rules

Microsoft Sentinel has detection logic for post-exploitation behaviors.

Splunk Hunts

Splunk Enterprise Security can be used to investigate potential zero-day activity by monitoring high-risk hosts and creating threat indicators.

Delivery Method

·         Used in the post-exploitation phase of multi-stage attacks, not an initial delivery method itself.

Email Samples

·         There are no emails associated with this phase of the attack.

References

Microsoft

·         hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221

CISA

·         hxxps://www.cve.org/CVERecord?id=CVE-2025-62221

·         hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-62221&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=

Tenable

hxxps://www.tenable.com/cve/CVE-2025-62221/plugins