CVE-2025-55680 (CVSS 7.8): Windows Cloud Files Mini Filter Driver Elevation of Privilege

Estimated reading time: 7 minutes

Key Takeaways:

  • CVE-2025-55680 is a local privilege escalation vulnerability in the Windows Cloud Files Mini Filter driver (cldflt.sys).
  • Successful exploitation allows a low-privileged user to gain SYSTEM-level privileges.
  • Microsoft addressed this vulnerability in its October 2025 Patch Tuesday release.
  • Prioritize patching and implement monitoring rules to detect anomalous file creation.

Table of Contents:

  1. CVE-2025-55680 (CVSS 7.8): Windows Cloud Files Mini Filter Driver Elevation of Privilege
  2. Vulnerability Details: CVE-2025-55680
  3. Exploitation
  4. Impact
  5. Mitigation
  6. Practical Takeaways and Actionable Advice
  7. PurpleOps and CVE-2025-55680
  8. FAQ

A local privilege escalation vulnerability, identified as CVE-2025-55680 (CVSS score of 7.8), has been discovered in Microsoft’s Cloud Files Mini Filter driver (cldflt.sys). This flaw impacts all Windows versions released before October 2025. The vulnerability resides in how the driver handles the creation of placeholder files, a mechanism employed by cloud storage services like OneDrive and SharePoint.

Vulnerability Details: CVE-2025-55680

The vulnerability, discovered by Exodus Intelligence, stems from a time-of-check-time-of-use (TOCTOU) race condition within the HsmpOpCreatePlaceholders() function of cldflt.sys. This function is responsible for validating and creating placeholder files when the Cloud Files API (CfCreatePlaceholders) is invoked. The Cloud Files API is a mechanism used by services such as OneDrive and SharePoint sync engines.

The core issue lies in the time gap between when the driver validates a filename and when it actually creates the corresponding file. Specifically, the HsmpOpCreatePlaceholders() function first checks the filename provided by the user to ensure it doesn’t contain backslash (\\) or colon (:) characters. These characters could be used to manipulate the file creation process to write outside the intended directory. After this validation, the driver proceeds to create the file using FltCreateFileEx2().

However, a small window of opportunity exists between the validation and the file creation. During this interval, a low-privileged attacker can modify the filename in the user-mode buffer. Because the kernel directly maps the user-supplied memory into its own address space using MmMapLockedPagesSpecifyCache(), any changes made in userland are immediately reflected in the kernel’s view.

This allows a malicious actor to inject backslashes into the validated filename just before the FltCreateFileEx2() call. This manipulation enables the driver to bypass intended directory restrictions and follow NTFS junctions or symlinks, leading to file creation in protected directories like C:\\Windows\\System32. This can lead to local privilege escalation (LPE) through DLL side-loading.

Hacker exploiting Windows Cloud Files driver flaw

Exploitation

The exploitation process involves a coordinated sequence of actions:

  1. Setup: The attacker first registers a new sync-root directory using the CfRegisterSyncRoot() API. They then create a subdirectory within this sync root, configuring it as a junction point that redirects to a privileged location, such as C:\\Windows\\System32.
  2. Trigger the Race: Multiple threads are launched, repeatedly issuing CfCreatePlaceholders() requests. Simultaneously, other threads actively modify the filename buffer in memory to inject the backslash characters.
  3. Privilege Escalation: If the race condition is successfully exploited, the driver will follow the junction and create a malicious DLL file within the System32 directory.
  4. Execution: A legitimate Windows service then loads this rogue DLL, leading to SYSTEM-level code execution.

Successful exploitation grants the attacker kernel-level trust for the created file. This allows them to leverage DLL side-loading techniques present in many Windows services to execute arbitrary code with elevated privileges.

Impact

The successful exploitation of CVE-2025-55680 allows a low-privileged user to gain SYSTEM-level privileges, essentially taking complete control of the affected system. This can lead to:

  • Installation of malware, including ransomware and spyware.
  • Data theft and exfiltration.
  • System corruption and denial of service.
  • Lateral movement to other systems within the network.

Enterprises that utilize services such as OneDrive Files On-Demand or SharePoint sync, which rely on the Cloud Files API, are particularly at risk.

Mitigation

Microsoft addressed CVE-2025-55680 in its October 2025 Patch Tuesday release. Applying the latest Windows security updates is crucial to mitigate this vulnerability.

Practical Takeaways and Actionable Advice

  • For System Administrators:
    • Patch Immediately: Prioritize the deployment of the October 2025 security updates from Microsoft on all Windows systems, especially servers.
    • Review Cloud Storage Configurations: Examine configurations for OneDrive, SharePoint, and other cloud storage services using the Cloud Files API. Ensure that sync roots are properly secured and monitored.
    • Monitor File System Activity: Implement monitoring rules to detect anomalous file creation events, particularly in sensitive directories like C:\\Windows\\System32. Look for unexpected DLL creation or modification.
    • Implement Least Privilege: Enforce the principle of least privilege, ensuring that users only have the minimum necessary access rights to perform their tasks. This limits the potential impact of a successful exploit.
  • For Security Teams:
    • Update Threat Intelligence: Incorporate CVE-2025-55680 into your threat intelligence feeds and vulnerability scanning tools.
    • Conduct Penetration Testing: Perform penetration testing to identify and validate potential exploitation paths for this vulnerability in your environment. Red team operations can simulate real-world attack scenarios.
    • Improve Breach Detection: Enhance breach detection capabilities to identify post-exploitation activity, such as lateral movement and data exfiltration. Consider using a cyber threat intelligence platform to proactively identify potential threats and indicators of compromise. Implement a breach detection system to detect and respond to unauthorized access and data breaches.
    • Supply-Chain Risk Monitoring: Evaluate the risk posed by third-party applications and services that utilize the Cloud Files API. Ensure that these vendors have also applied the necessary patches and security measures.
  • For End Users:
    • Keep Software Updated: Ensure that your operating system and applications are always up-to-date with the latest security patches.
    • Be Cautious of Suspicious Files: Avoid downloading or executing files from untrusted sources.
    • Report Suspicious Activity: If you notice any unusual system behavior, report it to your IT department immediately.

PurpleOps and CVE-2025-55680

PurpleOps provides services that can help organizations protect against vulnerabilities like CVE-2025-55680. Our offerings include:

  • Cyber Threat Intelligence: We offer a comprehensive cyber threat intelligence platform that provides real-time ransomware intelligence, dark web monitoring service, telegram threat monitoring, and underground forum intelligence. This allows organizations to stay ahead of emerging threats and proactively identify potential vulnerabilities. A live ransomware API helps integrate threat intelligence into existing security systems.
  • Vulnerability Management: We can assist with vulnerability assessments and penetration testing to identify and remediate weaknesses in your systems, including those related to CVE-2025-55680. Our penetration testing and red team operations can simulate real-world attack scenarios, helping to identify and address vulnerabilities before they can be exploited.
  • Breach Detection: Our breach detection services can help you identify and respond to security incidents quickly and effectively. Brand leak alerting and supply-chain risk monitoring can help detect and prevent data breaches.
  • Managed Security Services: We offer managed security services to provide ongoing monitoring and protection for your systems.

To learn more about how PurpleOps can help you protect your organization from cyber threats, please visit our website: https://www.purple-ops.io/platform/ or contact us for a consultation: https://www.purple-ops.io/services/.

FAQ

Q: What is CVE-2025-55680?

A: CVE-2025-55680 is a local privilege escalation vulnerability in Microsoft’s Cloud Files Mini Filter driver (cldflt.sys) that allows a low-privileged user to gain SYSTEM-level privileges.

Q: Which Windows versions are affected?

A: All Windows versions released before October 2025 are affected.

Q: How can I mitigate this vulnerability?

A: Apply the latest Windows security updates from Microsoft’s October 2025 Patch Tuesday release.

Q: What services are most at risk?

A: Services such as OneDrive Files On-Demand and SharePoint sync, which rely on the Cloud Files API, are particularly at risk.

Q: What steps should system administrators take?

A: System administrators should prioritize patching, review cloud storage configurations, monitor file system activity, and enforce the principle of least privilege.