A critical security flaw in Microsoft Windows Cloud Minifilter has been fixed, addressing a dangerous race condition that enabled attackers to gain elevated system privileges and write files to any location on affected systems.
The vulnerability, identified as CVE-2025-55680, was discovered by security researchers at Exodus Intelligence in March 2024 and subsequently patched by Microsoft in their October 2025 security updates.
This flaw represents a serious threat to Windows systems running cloud synchronization services.
Race Condition Enables Unrestricted File Creation
The security weakness exists within the Windows Cloud Minifilter driver, known as cldflt.sys, which provides essential file system capabilities for cloud-based applications such as OneDrive.
The vulnerability specifically affects the HsmpOpCreatePlaceholders() function during the processing of requests to create placeholder files in synchronized directories.
Placeholder files serve as special markers used by cloud sync services that automatically retrieve content from cloud storage when users access them.
The problem arises from inadequate validation of filenames during the placeholder creation process.
When users request placeholder file creation, the system performs security checks to verify whether filenames contain prohibited characters like backslashes or colons.
However, researchers identified a critical timing gap between filename validation and actual file creation.
Attackers can exploit this narrow time window by modifying the filename in memory, effectively bypassing security controls.
Attackers can take advantage of this time-of-check time-of-use weakness by running multiple execution threads simultaneously.
Some threads continuously request placeholder creation with legitimate-looking filenames, while other threads rapidly alter characters in the filename buffer.
With precise timing, the malicious filename modification happens after validation completes but before file creation executes, permitting attackers to create files in restricted system directories like C:\Windows\System32.
By placing malicious DLL files in protected system folders, attackers can exploit DLL side-loading techniques to run arbitrary code with SYSTEM-level privileges.
This attack method requires only basic user privileges initially, making it especially concerning for multi-user systems.
The vulnerability impacts how the Cloud Files Minifilter driver handles the CfCreatePlaceholders() API function, which cloud sync providers use to generate placeholder files representing cloud-stored data.
The driver processes these requests through I/O control code 0x903BC with specific parameters for placeholder operations.
Security experts note this vulnerability relates to an earlier security issue, CVE-2020-17136, which Microsoft patched by implementing filename validation checks.
Unfortunately, these validation checks contained the race condition weakness that created CVE-2025-55680.
System administrators must ensure Windows systems receive the October 2025 security updates immediately to prevent exploitation.
Organizations utilizing cloud synchronization services should prioritize patching systems with configured sync root directories, as these represent necessary conditions for successful attacks.
| CVE ID | Vulnerability Type | Affected Component | CVSS 3.1 Score | Impact |
|---|---|---|---|---|
| CVE-2025-55680 | Race Condition / Time-of-Check Time-of-Use (TOCTOU) | Microsoft Windows Cloud Minifilter (cldflt.sys) | 7.8 (High) | Privilege Escalation – Arbitrary file creation leading to SYSTEM privileges |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
.webp?resize=1600,900&ssl=1&description=The vulnerability, identified as CVE-2025-55680, was discovered by security researchers at Exodus Intelligence in March 2024.){kind=link}