Windows Cloud Files Mini Filter Driver Vulnerability Exploited to Escalate Privileges
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A privilege escalation flaw in Windows Cloud Files Mini Filter Driver has been discovered, allowing local attackers to bypass file write protections and inject malicious code into system processes.<\/p>\n
Security researchers have uncovered CVE-2025-55680<\/a>, a high-severity privilege-escalation vulnerability in the Windows Cloud Files Mini Filter Driver.<\/p>\n The flaw exists in the Cloud Files Filter (cldsync.sys) driver\u2019s handling of file path validation during placeholder file creation operations.<\/p>\n Specifically, the vulnerability resides in the call chain: HsmFltProcessHSMControl \u2192 HsmFltProcessCreatePlaceholders \u2192 HsmpOpCreatePlaceholders.<\/p>\n Microsoft previously patched a similar file write vulnerability reported by Project Zero in 2020. However, the current implementation contains a critical logical flaw.<\/p>\n While Microsoft added code to prevent backslash ($$ and colon (:)) characters in file paths from being used to block symbolic link attacks, the validation check can be bypassed through a Time-of-Check Time-of-Use (TOCTOU) race condition.<\/p>\n Attackers can modify the path string in kernel memory between the validation check and the actual file operation, allowing malicious paths to pass through security controls.<\/p>\n The exploitation technique requires multiple coordinated steps. First, attackers start the Remote Access Service (rasman) and create a cloud file sync root using the Cloud Files API.<\/p>\n Next, they connect to the Cloud Files<\/a> Filter driver through DeviceIoControl calls and establish a communication port with the filter manager.<\/p>\n The attacker then creates a thread that continuously modifies a path string in kernel memory, changing it from an innocent filename to a symbolic link pointing to system directories like C:WindowsSystem32.<\/p>\n While one thread performs file-creation operations, another thread rapidly modifies the memory location, exploiting the race condition window between the security check and file creation.<\/p>\nHow the Exploit Works<\/strong><\/h2>\n