Critical Privilege Escalation Vulnerability Discovered in Windows Cloud Files Mini Filter Driver
A newly identified privilege escalation vulnerability within the Windows Cloud Files Mini Filter Driver poses a significant threat, permitting local adversaries to circumvent file write protections and inject nefarious code into system processes.
The flaw, cataloged as CVE-2025-55680, has been classified by security researchers as a high-severity privilege escalation vulnerability affecting the Windows Cloud Files Mini Filter Driver.
This vulnerability originates from deficiencies in the Cloud Files Filter (cldsync.sys) driver, specifically regarding how it validates file paths during the creation of placeholder files.
At its core, the vulnerability is present in the execution path: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders.
While Microsoft successfully patched a similar file write vulnerability brought to attention by Project Zero in 2020, the current iteration exhibits a crucial logical defect.
Even though Microsoft added safeguards against backslash ($$ and colon (:)) characters in file paths to thwart symbolic link assaults, the validation checks are vulnerable to exploitation via a Time-of-Check Time-of-Use (TOCTOU) race condition.
Would-be attackers can manipulate the path string in kernel memory concurrent with the validation check and the actual file operation, thereby bypassing security protocols with malicious paths.
Mechanics of the Exploit
The exploitation of this vulnerability necessitates a series of meticulously coordinated actions. Initially, attackers activate the Remote Access Service (rasman) and establish a cloud file synchronization root utilizing the Cloud Files API.
Following this, they connect to the Cloud Files Filter driver via DeviceIoControl calls, thus creating a communication port with the filter manager.
The attacker then generates a thread that incessantly alters a path string in kernel memory, transitioning it from a benign filename to a symbolic link that directs to sensitive directories such as C:\Windows\System32.
While one thread conducts file-creation tasks, a second thread swiftly modifies the corresponding memory location, taking advantage of the race condition that exists between the security checks and actual file creation.
| CVE ID | Vulnerability Type | Affected Component | CVSS Score |
|---|---|---|---|
| CVE-2025-55680 | Privilege Escalation | Windows Cloud Files Mini Filter Driver (cldsync.sys) | 7.8 |
When executed with precise timing, the driver may generate files with elevated kernel-mode access privileges, thereby circumventing conventional access controls.
Attackers can exploit this vulnerability to insidiously implant malicious DLL files, such as rasmxs.dll, into fortified system directories. Utilizing RPC calls, they can compel privileged services to load the compromised library, culminating in full system compromise, as detailed by ssd-disclosure.
This vulnerability constitutes a severe risk of privilege escalation for Windows systems. Although exploitation requires local system access, it grants comprehensive escalation capabilities.
Any authenticated user could potentially manipulate this flaw to attain SYSTEM-level privileges, enabling ongoing persistence through legitimate system processes.
Organizations that operate vulnerable versions of Windows are urged to prioritize immediate patching, as the method of exploitation is both straightforward and reliable.
Source link: Cybersecuritynews.com.
