Microsoft has addressed a critical race condition vulnerability in its Windows Cloud Files Minifilter driver, identified as CVE-2025-55680, which allows local attackers to escalate privileges and create arbitrary files across the system.
The flaw was discovered by researchers at Exodus Intelligence in March 2024 and patched during Microsoft’s October 2025 Patch Tuesday updates, receiving a CVSS score of 7.8 due to its potential to grant SYSTEM-level access through DLL side-loading techniques.
While no widespread in-the-wild exploitation has been confirmed, security experts classify the vulnerability as “exploitation more likely” because of the straightforward nature of the time-of-check to time-of-use (TOCTOU) weakness present in the cldflt.sys driver.
Understanding The Cloud Files Minifilter
The Cloud Files Minifilter driver powers essential features like OneDrive’s Files On-Demand functionality, enabling seamless synchronization of cloud-stored files as local placeholders that hydrate when accessed.
These placeholders are registered through the CfRegisterSyncRoot API in cldapi.dll, where sync root directories enforce policies for hydration during file downloads and population processes, controlling how directories reveal their cloud contents.
Placeholders managed through IOCTL code 0x903BC can exist in various states, including pinned, full, or partial, with the minifilter handling operations such as creation via CfCreatePlaceholders.
The driver intercepts IRP major functions for file creation, reading, writing, and controlling operations, processing user requests in kernel mode to ensure secure cloud integration.
However, this tight coupling between user-space APIs and kernel handling introduces significant risks when validating inputs like filenames during placeholder creation, as highlighted by Exodus Intelligence researchers.
The vulnerability exists within the HsmpOpCreatePlaceholders function in cldflt.sys, which is triggered by CfCreatePlaceholders to build placeholders under a sync root.
The function initially probes and maps the user-supplied buffer containing the relative filename (relName) into kernel space using IoAllocateMdl and MmMapLockedPagesSpecifyCache, sharing physical memory between user and kernel views.
It then validates relName against forbidden characters such as backslash or colon, a safeguard that was added following CVE-2020-17136.
However, a critical timing window exists between this validation check and the subsequent FltCreateFileEx2 call that creates the file.
Attackers can exploit this TOCTOU vulnerability by altering the mapped buffer, replacing a character to form paths like “JUSTASTRING\newfile.dll” from “JUSTASTRINGDnewfile.dll”, causing the driver to follow a pre-configured junction point to privileged locations such as C:\Windows\System32.
Without appropriate flags to block symlinks, files can be created in restricted areas, completely bypassing permission controls.
Successful exploitation requires low privileges but demands coordination of multiple threads: one monitors for file creation in System32, others repeatedly call CfCreatePlaceholders with benign payloads, and racer threads toggle the buffer byte to win the timing race.
Success allows attackers to drop a malicious DLL that can be hijacked by services in System32 for side-loading, ultimately yielding kernel-context code execution.
The attack setup involves registering a sync root and junction, with cleanup performed post-escalation.
Microsoft strongly urges immediate patching and emphasizes the importance of endpoint detection for anomalous file operations in cloud sync directories.
Enterprises should audit OneDrive usage patterns and enforce least-privilege policies to mitigate local threats.
As cloud reliance continues to grow, such kernel flaws underscore the critical perils of bridging user and system spaces in modern operating systems.
CVE-2025-55680 Technical Details
| Field | Details |
|---|---|
| CVE ID | CVE-2025-55680 |
| Affected Product | Microsoft Windows Cloud Files Minifilter Driver (cldflt.sys) |
| Affected Versions | All Windows versions supporting Cloud Files/OneDrive Files On-Demand |
| Vulnerability Type | Race Condition (Time-of-Check to Time-of-Use – TOCTOU) |
| CVSS 3.1 Score | 7.8 (High) |
| Attack Vector | Local |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | None |
| Impact | Privilege Escalation to SYSTEM-level access via arbitrary file creation |
| Exploit Status | Exploitation More Likely (No confirmed in-the-wild exploitation) |
| Patch Status | Patched in October 2025 Patch Tuesday |
| Discovered By | Exodus Intelligence (March 2024) |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Microsoft has addressed a critical race condition vulnerability in its Windows Cloud Files Minifilter driver, identified as CVE-2025-55680){kind=link}