A critical privilege escalation vulnerability has been discovered in Windows Cloud Files Mini Filter Driver, designated as CVE-2025-55680.
The flaw leverages a time-of-check to time-of-use (TOCTOU) vulnerability to bypass file write restrictions, enabling local attackers to achieve unauthorized system-level access.
Technical Vulnerability Details
The vulnerability originates from a previous 2020 Project Zero disclosure that attempted to prevent symbolic link attacks by rejecting paths containing backslashes and colons.
However, researchers discovered that the path string validation occurs in user space before kernel-mode processing, creating a critical window of opportunity.
An attacker can modify memory between the security check and the actual file operation, bypassing all protections.
The exploitation chain involves the Cloud Files API function HsmFltProcessHSMControl, which calls HsmFltProcessCreatePlaceholders, ultimately reaching HsmpOpCreatePlaceholders.
When a path passes initial validation but gets swapped to a symbolic link target during the kernel call, the system creates files in protected system directories with kernel-mode access privileges.
This allows arbitrary DLL injection into system processes like the RAS service.
The attack unfolds through four precise steps. First, attackers register a Cloud Files sync root and create directory junctions pointing to system locations.
Second, they establish communication ports with the Cloud Files filter driver.
Third, they spawn threads that continuously race between submitting placeholder creation requests and modifying memory buffers to swap legitimate paths with symlink targets.
Finally, once a malicious DLL lands in system directories, it leverages RPC calls to force privileged services to load the compromised code, completing the privilege escalation.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-55680 |
| Vulnerability Type | Privilege Escalation |
| Affected Component | Windows Cloud Files Mini Filter Driver |
| CVSS v3.1 Score | 7.8 High |
| Attack Vector | Local |
| Impact | Complete System Compromise |
| Patch Status | Available |
Microsoft has released patches addressing this vulnerability through its standard update channels. Organizations should prioritize deploying these patches immediately, as the attack requires only local system access and no user interaction.
The threat level remains significant given the direct path to system-level privileges and the public availability of detailed exploit code from the TyphoonPWN competition winner.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1068,580&ssl=1&description=The flaw leverages a time-of-check to time-of-use (TOCTOU) vulnerability to bypass file write restrictions, enabling local attackers to achieve unauthorized system-level access.){kind=link}