PoC Exploit Released for CVE-2025-55680 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Flaw
Do Son 
Security researchers from TyphoonPWN, the Windows PE Winner team, in collaboration with SSD Secure Disclosure, have uncovered a time-of-check to time-of-use (TOCTOU) race condition affecting the Windows Cloud Files Mini Filter Driver. Tracked as CVE-2025-55680, the vulnerability carries a CVSS score of 7.8 and allows a local attacker to escalate privileges to SYSTEM level.
According to the researchers, the flaw represents a bypass of a previously reported Windows vulnerability (CVE-2020-17136), initially disclosed by Google Project Zero in 2020.
As the advisory explains, βA domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level.β
The vulnerability stems from the Windows Cloud Files Mini Filter Driver’s handling of file creation, particularly an operation related to creating placeholder files, which is part of its functionality to support cloud-backed file systems like OneDrive.
This new flaw is a patch bypass for CVE-2020-17136, another Elevation of Privilege vulnerability in the same component. To mitigate the 2020 flaw, Microsoft introduced a check to prevent symbolic link attacks by disallowing backslashes (\) or colons (:) in the file path.
However, the researchers discovered that the path string is obtained from user-controlled memory using ProbeForRead and MmProbeAndLockPages. This memory mapping allows the attacker to execute a classic TOCTOU (Time-of-Check to Time-of-Use) attack.
“This allows us to bypass the above check through toctou (time-of-check to time-of-use) and regain the arbitrary file write vulnerability,” the researcher wrote. By exploiting this flaw, an attacker with limited local privileges can achieve full system control.
Microsoft addressed this flaw as part of its October Patch Tuesday. System administrators are strongly urged to apply the latest security updates immediately to mitigate this highly exploitable local privilege escalation vulnerability.
The full technical write-up and exploit details are available via SSD Secure Disclosure at https://ssd-disclosure.com/cloud-filter-arbitrary-file-creation-eop-patch-bypass-lpe/.
Related Posts:
- Researcher Details Zero-Day Linux/Android Kernel Flaw (CVE-2025-38352)
- Telegram Patches Flaw in Web Version, Vulnerability Exposed User Accounts to Hackers
- GPT-5 Is Here: What We Know About OpenAI’s New Models and Release
- From CVE to PoC: A Collection Maps Windows Privilege Escalation Landscape
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
