Security researchers have uncovered CVE-2025-55680, a high-severity privilege-escalation vulnerability in the Windows Cloud Files Mini Filter Driver.
The flaw exists in the Cloud Files Filter (cldsync.sys) driver’s handling of file path validation during placeholder file creation operations.
Specifically, the vulnerability resides in the call chain: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders.
Microsoft previously patched a similar file write vulnerability reported by Project Zero in 2020. However, the current implementation contains a critical logical flaw.
While Microsoft added code to prevent backslash ($$ and colon (:)) characters in file paths from being used to block symbolic link attacks, the validation check can be bypassed through a Time-of-Check Time-of-Use (TOCTOU) race condition.
Attackers can modify the path string in kernel memory between the validation check and the actual file operation, allowing malicious paths to pass through security controls.
The exploitation technique requires multiple coordinated steps. First, attackers start the Remote Access Service (rasman) and create a cloud file sync root using the Cloud Files API.
Next, they connect to the Cloud Files Filter driver through DeviceIoControl calls and establish a communication port with the filter manager.
The attacker then creates a thread that continuously modifies a path string in kernel memory, changing it from an innocent filename to a symbolic link pointing to system directories like C:WindowsSystem32.
While one thread performs file-creation operations, another thread rapidly modifies the memory location, exploiting the race condition window between the security check and file creation.
| CVE ID | Vulnerability Type | Affected Component | CVSS Score |
|---|---|---|---|
| CVE-2025-55680 | Privilege Escalation | Windows Cloud Files Mini Filter Driver (cldsync.sys) | 7.8 |
When the timing aligns perfectly, the driver creates files with elevated kernel-mode access privileges, bypassing standard access controls.
Attackers weaponize this by writing malicious DLLs, such as rasmxs.dll, into protected system directories. Leveraging RPC calls to force privileged services to load the compromised library, resulting in complete system compromise, as reported by ssd-disclosure.
This vulnerability represents a serious privilege escalation risk for Windows systems. The attack requires local system access but delivers complete privilege escalation capabilities.
Any authenticated user can potentially exploit this flaw to gain SYSTEM-level privileges and maintain persistence through legitimate system processes.
Organizations running vulnerable Windows versions should prioritize patching immediately, as the exploitation technique is straightforward and reliable.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Windows Cloud Files Mini Filter Driver Vulnerability Exploited to Escalate Privileges appeared first on Cyber Security News.
Games Workshop has shocked Warhammer 40,000 fans by confirming a leak of plans to sell…
FORT WAYNE IND. (WOWO) One man is dead following a fiery early-morning crash at Lafayette…
The Hunt For Ben Solo fan campaign is still going, and its latest stunt saw…
Daemons, seasonal powers, and giants are what you can expect this spring anime season. There's…
This website uses cookies.