Critical Windows Cloud Files Minifilter Vulnerability Exposes Systems to Privilege Escalation
Microsoft has recently addressed a significant security flaw in its Windows Cloud Files Minifilter driver, identified as CVE-2025-55680. This vulnerability allows local attackers to escalate their privileges and create arbitrary files across the system, posing a substantial risk to affected devices.
Discovery and Patch Details
The vulnerability was discovered by researchers at Exodus Intelligence in March 2024. Microsoft responded by releasing a patch during the October 2025 Patch Tuesday updates. The flaw has been assigned a Common Vulnerability Scoring System (CVSS) score of 7.8, reflecting its potential to grant SYSTEM-level access through Dynamic Link Library (DLL) side-loading techniques.
Although there have been no widespread reports of this vulnerability being exploited in the wild, security experts consider it exploitation more likely due to the straightforward nature of the time-of-check to time-of-use (TOCTOU) weakness present in the cldflt.sys driver.
Understanding the Cloud Files Minifilter
The Cloud Files Minifilter driver is integral to features like OneDrive’s Files On-Demand, enabling seamless synchronization of cloud-stored files as local placeholders that hydrate upon access.
Registered via the CfRegisterSyncRoot API in cldapi.dll, sync root directories enforce policies for hydration when files are downloaded and populated, controlling how directories reveal cloud contents.
These placeholders, managed through IOCTL code 0x903BC, represent files in various states such as pinned, full, or partial. The minifilter handles operations like creation via CfCreatePlaceholders.
The driver intercepts IRP major functions for file creation, reading, writing, and controlling, processing user requests in kernel mode to ensure secure cloud integration. However, this tight coupling between user-space APIs and kernel handling introduces risks, particularly when validating inputs like filenames during placeholder creation.
Race Condition Flaw Leading to Privilege Escalation
At the core of CVE-2025-55680 lies the HsmpOpCreatePlaceholders function in cldflt.sys, triggered by CfCreatePlaceholders to build placeholders under a sync root.
The function first probes and maps the user-supplied buffer containing the relative filename (relName) into kernel space using IoAllocateMdl and MmMapLockedPagesSpecifyCache, sharing physical memory between user and kernel views.
It then validates relName against forbidden characters such as backslash (\) or colon (:), a safeguard added post-CVE-2020-17136.
However, a narrow window exists between this check and the subsequent FltCreateFileEx2 call to create the file.
Attackers can exploit this TOCTOU by altering the mapped buffer, replacing a character like ‘D’ with ‘\’ in a string such as JUSTASTRINGDnewfile.dll to form JUSTASTRING\newfile.dll. This manipulation causes the driver to follow a pre-set junction point to privileged paths like C:\Windows\System32.
Without flags to block symbolic links, the file lands in restricted areas, bypassing permissions.
Exploitation requires low privileges but involves coordinating multiple threads: one monitors for file creation in System32, others spam CfCreatePlaceholders with benign payloads, and racers toggle the buffer byte to win the timing race.
Success allows dropping a malicious DLL, hijacked by services like those in System32, for side-loading, yielding kernel-context code execution. Setup involves registering a sync root and junction, with cleanup post-escalation.
Mitigation and Recommendations
Microsoft urges immediate patching of this vulnerability and emphasizes the importance of endpoint detection for anomalous file operations in cloud sync directories.
Enterprises should audit OneDrive usage and enforce least-privilege policies to mitigate local threats. As reliance on cloud services grows, such kernel flaws underscore the perils of bridging user and system spaces.
