On December 9, 2025, Microsoft released a Patch Tuesday security update that fixes a dangerous elevation-of-privilege vulnerability in the Windows Projected File System (ProjFS). Tracked as CVE-2025-62467, the flaw carries a CVSS 3.1 score of 7.8 and allows any local user—or malware running under a limited account—to escalate to SYSTEM privileges. The patch is available now for all supported Windows versions, and administrators should treat it as a top priority.

What’s the Flaw?

The bug sits in the ProjFS kernel driver and stems from an integer overflow or wraparound condition—classic CWE‑190 territory. When ProjFS handles metadata supplied by a user‑mode provider (for example, file sizes, directory enumerations, or placeholder information), a numeric miscalculation can cause the kernel to allocate a buffer that is too small for the incoming data. The resulting out‑of‑bounds read or write (CWE‑126 has also been associated with this CVE) gives an attacker a memory‑corruption primitive they can weaponize to overwrite security tokens, hijack control flow, or write arbitrary data to kernel memory.

Public vulnerability feeds describe the attack as local: an attacker must already have the ability to run code on the target host, even as a standard user. That may sound like a high barrier, but in real‑world attacks, initial footholds are common—through phishing, malicious documents, or compromised CI/CD pipelines. Once an adversary can execute code, a kernel privilege‑escalation bug like this becomes the perfect second‑stage tool to achieve full control of the machine.

Who’s Affected?

The vulnerability exists in the Projected File System component itself, meaning every Windows version that supports ProjFS is potentially vulnerable until patched. ProjFS is available on Windows 10 version 1709 and later, Windows 11, and recent Windows Server releases. It is an optional feature, but many applications silently enable it. If you use tools that rely on ProjFS—such as VFS for Git, certain cloud‑sync clients, or custom virtual filesystem providers—the attack surface is wider because the provider interface is already active.

  • Home users: If you run Windows 10 or Windows 11 with default settings, you likely have the December 2025 cumulative update pending. Install it via Windows Update. Because the exploit requires local code execution, standard safe‑computing practices (avoiding untrusted downloads, keeping antivirus active) reduce the chance of initial compromise, but the patch is your real defense.
  • Software developers: Workstations where ProjFS‑backed tools are used represent high‑risk targets. A malicious build script or a compromised dependency could invoke the vulnerable code path. Apply the update immediately, and check that your ProjFS providers (e.g., VFS for Git, third‑party sync tools) are from trusted sources and updated regularly.
  • Enterprise IT & security teams: The risk is greatest on multi‑user hosts—terminal servers, VDI farms, shared engineering workstations—because a single lateral‑movement hop can place an unprivileged attacker right at the ProjFS boundary. Domain controllers, though typically without ProjFS, become high‑priority if any management tool enables it. Prioritize patching for any system where non‑administrative users can log on interactively.

Why ProjFS Bugs Are So Dangerous

ProjFS acts as a mediator between user‑mode providers and the kernel’s file‑system stack. When a provider wants to present a virtual file tree—say, a Git repository that isn’t fully downloaded—ProjFS translates those requests into real I/O operations. That privileged position gives the kernel driver deep access to memory buffers, process contexts, and file objects. An arithmetic slip in such a path is not merely a crash risk; it hands an attacker a direct pipeline to the most sensitive resources of the operating system.

History shows that file‑system driver vulnerabilities are regularly targeted by advanced threat actors. Similar integer‑overflow bugs in Windows filter drivers and virtualization components have been converted into reliable privilege‑escalation exploits within days of patch disclosure. The ProjFS interface, with its rich set of callbacks and metadata structures, offers multiple avenues for triggering numeric overflows. CVE‑2025‑62467 is simply the latest reminder that a local-only attack vector can be as devastating as a remote one.

How to Get Protected

Microsoft’s Security Response Center (MSRC) lists CVE‑2025‑62467 in its Update Guide, which is the authoritative source for mapping the vulnerability to the exact KB updates for your Windows build. Follow these steps:

  1. Open the MSRC Update Guide for CVE‑2025‑62467 (link in the references). Select your product family and build number to see the corresponding KB article.
  2. Deploy the update through your normal patch‑management process—Windows Update for consumers, WSUS, Microsoft Endpoint Configuration Manager, or Intune for enterprises.
  3. Reboot after installation to ensure the ProjFS driver is replaced in kernel memory.
  4. Verify the update status on critical systems. On the command line, you can check the installed update list with wmic qfe list or Get-HotFix in PowerShell.

For large environments, use your vulnerability‑management platform to scan for missing patches. If you track devices by CVE, note that CVE‑2025‑62467 is indexed in all major vulnerability feeds and should appear in your dashboards automatically.

If You Can’t Patch Right Away

Operational constraints sometimes delay patch deployment. When you must run temporarily without the fix, layer these compensating controls:

  • Remove local administrator rights from all standard user accounts. The elevated context the attacker wants is harder to abuse if they cannot also bypass User Account Control separately.
  • Enable application allow‑listing (Windows Defender Application Control or AppLocker) to prevent untrusted executables from launching. This makes it much harder for an attacker to get the initial code execution needed to trigger the ProjFS bug.
  • Disable unneeded ProjFS providers. If you have third‑party ProjFS software that is not essential on servers or admin workstations, turn it off temporarily. For built‑in providers like those used by certain Microsoft tools, investigate whether the feature can be disabled via OptionalFeatures.exe or Group Policy until patching is complete.
  • Tune your endpoint detection and response (EDR) platform. Look for unexpected processes spawning as SYSTEM from user‑initiated processes—a common signal of local privilege escalation. Also monitor for anomalous DeviceIoControl calls targeted at ProjFS or file‑system filter drivers, and for kernel crashes (bug checks) referencing ProjFS modules.

These measures are stopgaps, not substitutes for the patch. They reduce the attack surface and improve your chance of catching exploitation in progress, but the only permanent fix is the official update.

The Bigger Picture

At the time of disclosure, there is no public proof‑of‑concept code for CVE‑2025‑62467, and Microsoft’s advisory does not indicate active exploitation. That can change quickly: once the patch is reverse‑engineered, skilled researchers often produce working exploits within a few weeks. Threat actors monitor the same channels, and kernel privilege‑escalation primitives are especially valuable for ransomware operators who need to disable endpoint protection before deploying payloads. Treat the absence of a PoC as a window of opportunity, not a reason to delay.

Microsoft’s decision to include this fix in a regular Patch Tuesday rollout, with a CVSS score visible to vulnerability scanners, demonstrates a mature disclosure process. The company has also provided its Update Guide as a single source of truth for remediation, avoiding the confusion that sometimes accompanies out‑of‑band releases.

Looking ahead, we expect further scrutiny of ProjFS internals from both security researchers and adversaries. If your organization relies on ProjFS‑dependent tooling—and many modern DevOps workflows do—keep a close eye on future Microsoft patches and consider joining relevant security mailing lists. The next kernel‑level bug is only a matter of time.

For now, the immediate task is clear: check your Windows update status, deploy the December 2025 cumulative update, and harden your environment against local attackers. A CVSS 7.8 vulnerability on every Windows workstation is not something to ignore.