Microsoft Windows Cloud Files Minifilter Privilege Escalation Vulnerability Exploited

Microsoft has patched a critical race condition vulnerability in its Windows Cloud Files Minifilter driver, known as CVE-2025-55680, which enables local attackers to escalate privileges and create arbitrary files across the system.

Discovered by researchers at Exodus Intelligence in March 2024, the flaw was addressed in the October 2025 Patch Tuesday updates, earning a CVSS score of 7.8 for its potential to grant SYSTEM-level access through DLL side-loading.

While no widespread in-the-wild exploitation has been confirmed, security experts classify it as “exploitation more likely” due to the straightforward nature of the time-of-check to time-of-use (TOCTOU) weakness in the cldflt.sys driver.

Understanding The Cloud Files Minifilter

The Cloud Files Minifilter driver powers features like OneDrive’s Files On-Demand, allowing seamless synchronization of cloud-stored files as local placeholders that hydrate on access.

Registered via the CfRegisterSyncRoot API in cldapi.dll, sync root directories enforce policies for hydration when files download and population, controlling how directories reveal cloud contents.

These placeholders, managed through IOCTL code 0x903BC, represent files in states like pinned, full, or partial, relying on the minifilter to handle operations such as creation via CfCreatePlaceholders.

The driver intercepts IRP major functions for file creation, reading, writing, and controlling, processing user requests in kernel mode to ensure secure cloud integration, Exodus Intelligence said.

However, this tight coupling between user-space APIs and kernel handling introduces risks when validating inputs like filenames during placeholder creation.

Race Condition Flaw Leads to Privilege Escalation

At the core of CVE-2025-55680 lies the HsmpOpCreatePlaceholders function in cldflt.sys, triggered by CfCreatePlaceholders to build placeholders under a sync root.

The function first probes and maps the user-supplied buffer containing the relative filename (relName) into kernel space using IoAllocateMdl and MmMapLockedPagesSpecifyCache, sharing physical memory between user and kernel views.

It then validates relName against forbidden characters such as backslash ($$ or colon (:)), a safeguard added post-CVE-2020-17136.

Yet, a narrow window exists between this check and the subsequent FltCreateFileEx2 call to create the file.

Attackers can exploit this TOCTOU by altering the mapped buffer, replacing a character like ‘D’ with ” in a string such as “JUSTASTRINGDnewfile.dll” to form “JUSTASTRING\newfile.dll”, causing the driver to follow a pre-set junction point to privileged paths like C:\Windows\System32.

Without flags to block symlinks, the file lands in restricted areas, bypassing permissions.

Exploitation demands low privileges but coordinates multiple threads: one monitors for file creation in System32, others spam CfCreatePlaceholders with benign payloads, and racers toggle the buffer byte to win the timing race.

Success allows dropping a malicious DLL, hijacked by services like those in System32, for side-loading, yielding kernel-context code execution. Setup involves registering a sync root and junction, with cleanup post-escalation.

Microsoft urges immediate patching, emphasizing endpoint detection for anomalous file ops in cloud sync dirs.

Enterprises should audit OneDrive usage and enforce least-privilege policies to mitigate local threats. As cloud reliance grows, such kernel flaws underscore the perils of bridging user and system spaces.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.