Microsoft addressed a critical race condition vulnerability affecting its Windows Cloud Files Minifilter driver in October 2025.
The flaw, assigned CVE-2025-55680, was originally discovered in March 2024 and represents a significant security concern for systems utilising OneDrive and similar cloud synchronisation services.
| Attribute | Details |
| CVE Identifier | CVE-2025-55680 |
| Vulnerability Type | Race Condition (TOCTOU) |
| Affected Component | cldflt.sys (Windows Cloud Files Minifilter) |
The vulnerability exists within the HsmpOpCreatePlaceholders() function within the cldflt.sys driver, which manages placeholder file creation in synchronised cloud directories.
This race condition creates a narrow but exploitable window where attackers can bypass filename validation checks and create files anywhere on the system, effectively achieving privilege escalation.
Technical Exploitation Method
The vulnerability stems from how the Windows Cloud Files Minifilter validates filenames before creating placeholder files.
When a user requests placeholder creation through the CfCreatePlaceholders API, the kernel driver performs validation to ensure filenames do not contain backslash or colon characters a check implemented following the earlier CVE-2020-17136 patch.
However, a critical timing gap exists between this validation step and the actual file creation operation through FltCreateFileEx2().
An attacker can exploit this window by modifying the filename after validation but before file creation, transforming a legitimate filename into a path traversal payload.
For example, by changing JUSTASTRING to JUSTASTRINGnewfile.dll after validation passes, the attacker can exploit junctions or symbolic links to create files in protected directories that would normally be inaccessible to the user.
This technique allows unauthorised file placement in system-critical locations, leading to privilege escalation.
The exploitation process involves several careful steps that take advantage of memory-mapping behaviour in the kernel.
When processing placeholder creation requests, the minifilter maps the userspace buffer containing placeholder information into the kernel virtual address space.
This mapping creates a shared memory region where user-mode applications can continue modifying data even after the kernel has validated it.
The attacker prepares a specially crafted placeholder creation request with a benign filename that passes validation checks.
Between the validation routine at the instruction marker and the file creation call at marker, the attacker rapidly modifies the filename string through the mapped memory region, inserting path traversal characters.
If the timing aligns correctly, the kernel creates the file using the modified path, writing to an arbitrary location.
Since FltCreateFileEx2() is invoked without symlink validation flags and uses kernel handle attributes, the operation completes with elevated privileges, bypassing normal user-mode access controls, as reported by Exodus Intelligence.
The discovery of this vulnerability highlights the continued challenges in securing kernel-level file system drivers, particularly in scenarios involving shared memory between user and kernel space.
Organizations running Windows systems with Cloud Files Minifilter enabled should ensure their systems are fully updated with the October 2025 security patches to mitigate this risk effectively.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
