Windows Cloud Files Mini Filter Driver Vulnerability Exploited To...

A privilege escalation flaw in Windows Cloud Files Mini Filter Driver has been discovered, allowing local attackers to bypass file write protections and inject malicious code into system processes.

Security researchers have uncovered CVE-2025-55680, a high-severity privilege-escalation vulnerability in the Windows Cloud Files Mini Filter Driver.

The flaw exists in the Cloud Files Filter (cldsync.sys) driver’s handling of file path validation during placeholder file creation operations.

Specifically, the vulnerability resides in the call chain: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders.

Microsoft previously patched a similar file write vulnerability reported by Project Zero in 2020. However, the current implementation contains a critical logical flaw.

While Microsoft added code to prevent backslash ($$ and colon (:)) characters in file paths from being used to block symbolic link attacks, the validation check can be bypassed through a Time-of-Check Time-of-Use (TOCTOU) race condition.

Attackers can modify the path string in kernel memory between the validation check and the actual file operation, allowing malicious paths to pass through security controls.

The exploitation technique requires multiple coordinated steps. First, attackers start the Remote Access Service (rasman) and create a cloud file sync root using the Cloud Files API.

Next, they connect to the Cloud Files Filter driver through DeviceIoControl calls and establish a communication port with the filter manager.

The attacker then creates a thread that continuously modifies a path string in kernel memory, changing it from an innocent filename to a symbolic link pointing to system directories like C:\Windows\System32.