Zero-Day Vulnerability in Windows Cloud Files Mini Filter Driver
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
CVE-2025-62221 is an Important elevation of privilege vulnerability affecting Windows Cloud Files Mini Filter Driver and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a use-after-free weakness in the Windows Cloud Files Mini Filter Driver through local access to the system.
While the vulnerability has been publicly disclosed, there is no evidence of active exploitation in the wild. Microsoft has assessed exploitation as “Less Likely” with an unproven exploit code maturity rating. The vulnerability affects GitHub Copilot for JetBrains and requires no privileges and no user interaction to exploit, with low attack complexity. An attacker could exploit this vulnerability via a malicious cross-prompt injection in untrusted files or MCP servers, allowing them to execute additional commands by appending them to commands allowed in the user’s terminal auto-approve setting.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
Publicly Disclosed Zero-Day Vulnerability in GitHub Copilot for JetBrains
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
While the vulnerability has been publicly disclosed, there is no evidence of active exploitation in the wild. Microsoft has assessed exploitation as “Less Likely” with an unproven exploit code maturity rating. The vulnerability affects Windows PowerShell and requires no privileges but does require user interaction to exploit, with low attack complexity. An attacker could exploit this vulnerability through social engineering tactics, such as convincing a victim to download and execute a malicious file or run a specially crafted PowerShell command, leading to code execution on their local system.
| Severity | CVSS Score | CVE | Description |
| Important | 8.4 | CVE-2025-64671 | GitHub Copilot for JetBrains Remote Code Execution Vulnerability |
Publicly Disclosed Zero-Day Vulnerability in PowerShell
The vulnerability affects Windows systems running Cloud Files Mini Filter Driver and requires local access, low privileges, and no user interaction to exploit, with low attack complexity. When successfully exploited, it allows attackers to gain SYSTEM privileges, potentially allowing them to completely compromise the affected Windows systems. Microsoft has released an official fix to address this vulnerability. Organizations should prioritize applying the available security update to protect against exploitation.
CVE-2025-54100 is an Important remote code execution vulnerability affecting Windows PowerShell and has a CVSS score of 7.8. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a command injection weakness in PowerShell through local access to the system.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability |
Two Critical Vulnerabilities in Microsoft Office
CVE-2025-62554 and CVE-2025-62557 are Critical remote code execution vulnerabilities in Microsoft Office, both with CVSS scores of 8.4. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting a type confusion weakness (CVE-2025-62554) and a use-after-free condition (CVE-2025-62557) in Microsoft Office components. Exploitation requires no user interaction in the worst-case scenario and can be triggered by sending specially crafted malicious emails or links to the target user, with the preview pane serving as an attack vector for both vulnerabilities. The preview pane has been a continuous source of vulnerabilities, with at least one critical vulnerability each month this year except November.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2025-62554 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-62557 | Microsoft Office Remote Code Execution Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
CVE-2025-64671 is an Important remote code execution vulnerability affecting GitHub Copilot for JetBrains and has a CVSS score of 8.4. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a command injection weakness in Copilot through local access to the system.
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Learn More
There is evidence of active exploitation in the wild. Microsoft has confirmed that exploitation has been detected, though the vulnerability had not been publicly disclosed and specific details about the exploitation methods have not been shared.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
