Researcher Details Windows Cloud Files Mini Filter Driver Elevation of Privilege Flaw (CVE-2025-55680)

Researchers from Exodus Intelligence, led by Michele Campa, have disclosed a privilege-escalation vulnerability in Microsoft’s Cloud Files Minifilter driver (cldflt.sys) that affects all versions of Windows prior to October 2025. The flaw, assigned CVE-2025-55680 (CVSS 7.8), stems from a race condition in how the driver validates and creates placeholder files via the Cloud Files API (CfCreatePlaceholders) — a mechanism used by services such as OneDrive and SharePoint sync engines.

The flaw, found in the HsmpOpCreatePlaceholders() function of cldflt.sys, allows a low-privileged attacker to create or overwrite arbitrary files or directories anywhere on the system, leading to local privilege escalation (LPE) through DLL side-loading.

Microsoft’s Cloud Files API allows Windows to sync local directories with remote cloud storage. Each file inside a “sync root” directory can exist as a full file, pinned file, or placeholder — a lightweight on-disk reference whose content is hydrated on demand.

The driver cldflt.sys exposes these operations to user mode and processes requests sent through the CfCreatePlaceholders() API, which uses I/O control code 0x903BC to instruct the kernel to create new placeholder entries.

When invoked, the driver calls HsmpOpCreatePlaceholders() to validate and create these placeholder files under the sync root.

Campa’s analysis explains, “Before the placeholder file is created, the HsmpOpCreatePlaceholders() function validates the filename by checking if the userspace buffer holding the filename contains the \ or : characters… After the user-provided filename is checked, it calls the FltCreateFileEx2() function to create the file.”

The problem lies in what happens between those two steps.

The validation check and file creation are separated by a small, but critical, time window. During that interval, the user-mode buffer holding the filename can be modified before it’s used by the kernel.

The report continues: “Due to how this check is implemented, there exists a time window between the filename validation and file creation where the user can alter the filename allowing the user to create a file or directory anywhere on the system, leading to a privilege escalation.”

Because the kernel maps the user-supplied memory directly into its own address space (MmMapLockedPagesSpecifyCache()), any mid-race modification in userland immediately affects the kernel view.

In practice, the exploit takes advantage of this race by injecting backslash (\) characters into the validated filename just before the FltCreateFileEx2() call. That manipulation allows the driver to follow NTFS junctions or symlinks outside the sync root, thereby creating files in protected directories such as C:\Windows\System32.

Campa demonstrates that “between [8] and [10] there is a time window where a malicious attacker can alter the placeholderPayload.relName string by inserting the \ character in order to gain a file/directory arbitrary creation.”

The exploit chain requires four coordinated stages:

1. Setup – The attacker registers a new sync-root directory using the CfRegisterSyncRoot() API and creates a subdirectory (e.g., JUSTASTRING) that serves as a junction pointing to a privileged path such as C:\Windows\System32.
2. Trigger the race – Multiple threads repeatedly issue the CfCreatePlaceholders() request while others simultaneously modify the filename buffer in memory.
3. Privilege escalation – Once the race succeeds, the driver follows the junction and creates a malicious DLL in System32.
4. Execution – A legitimate Windows service loads the rogue DLL, resulting in SYSTEM-level code execution.

When successful, the created file inherits kernel-level trust, allowing the attacker to load it through DLL side-loading mechanisms present in many Windows services.

Microsoft addressed CVE-2025-55680 in its October 2025 Patch Tuesday release. Users are urged to install the latest Windows security updates immediately. Enterprises using OneDrive Files On Demand, SharePoint sync, or other services leveraging the Cloud Files API are especially exposed.

Related Posts:

• From CVE to PoC: A Collection Maps Windows Privilege Escalation Landscape
• Google Chrome Tests AI-Driven Auto Password Change for Breached Accounts
• A New Linux Malware Hides in Plain Sight by Weaponizing File Names
• Google Drive Desktop Gets Major Redesign: Unified UI Centralizes Files, Sync & Notifications
• CodeIgniter4 Remote Code Execution Vulnerability