Microsoft Windows Cloud Files Minifilter TOCTOU Privilege Escalation

By Michele Campa Overview In this blog post we take a look at a race condition we found in Microsoft Windows Cloud Minifilter (i.e. cldflt.sys ) in March 2024. This vulnerability was patched in October 2025 and assigned CVE-2025-55680 . The vulnerability occurs within the HsmpOpCreatePlaceholders() function, which is invoked when the CfCreatePlaceholders() function is ... Read more Microsoft Windows Cloud Files Minifilter TOCTOU Privilege Escalation The post Microsoft Windows Cloud Files Minifilter TOCTOU Privilege Escalation appeared first on Exodus Intelligence .

By Michele Campa Overview In this blog post we take a look at a race condition we found in Microsoft Windows Cloud Minifilter (i.e. cldflt.sys ) in March 2024. This vulnerability was patched in October 2025 and assigned CVE-2025-55680 . The vulnerability occurs within the HsmpOpCreatePlaceholders() function, which is invoked when the CfCreatePlaceholders() function is ... Read more Microsoft Windows Cloud Files Minifilter TOCTOU Privilege Escalation The post Microsoft Windows Cloud Files Minifilter TOCTOU Privilege Escalation appeared first on Exodus Intelligence . By Michele Campa Overview In this blog post we take a look at a race condition we found in Microsoft Windows Cloud Minifilter (i.e. cldflt.sys ) in March 2024. This vulnerability was patched in October 2025 and assigned CVE-2025-55680 . The vulnerability occurs within the HsmpOpCreatePlaceholders() function, which is invoked when the CfCreatePlaceholders() function is issued by the user to create one or more new placeholder files or directories under a sync root directory tree. Before the placeholder file is created, the HsmpOpCreatePlaceholders() function validates the filename by checking if the userspace buffer holding the filename contains the \ or the : characters. This validation was introduced when the CVE-2020-17136 vulnerability was patched. After the user-provided filename is checked, it calls the the FltCreateFileEx2() function to create the file. Due to how this check is implemented, there exists a time window between the filename validation and file creation where the user can alter the filename allowing the user to create a file or directory anywhere on the system, leading to a privilege escalation. Background Microsoft Cloud API The sync engine is a service to sync files and directories between the local host and a remote host, such as OneDrive . It uses the Cloud API implementation in cldapi.dll . [1] The sync root folder is the root folder registered as a synced folder, where all the nested files and directories are synced. All the files contained in the sync root directory exist in one of the following states: Pinned full file – The file is hydrated, i.e. the content is downloaded from the cloud explicitly by the user (e.g. from the explorer context menu). Full file – The file is constantly hydrated, i.e. the content is constantly downloaded from the cloud keeping the file up to date. If space is needed the download can be stopped. Placeholder – The file is automatically hydrated by the sync provider when the file is accessed by the user. The file state is influenced by the hydration policy set on the sync root folder. The sync root folder and all its subfolders follow different behaviors according to the population policy set on the sync root folder. The sync provider is responsible for initializing a directory as a sync root folder, using the CfRegisterSyncRoot() API implementation in cldapi.dll . HRESULT CfRegisterSyncRoot( [in] LPCWSTR SyncRootPath, [in] const CF_SYNC_REGISTRATION *Registration, [in] const CF_SYNC_POLICIES *Policies, [in] CF_REGISTER_FLAGS RegisterFlags ); The provider’s information, like name and version, are supplied in the Registration parameter, while the Policies parameter specifies policies that should be applied to the folder and its nested files. The sync behavior strongly depends on the policies set. [2] Some of the policies are listed below: CF_HYDRATION_POLICY : The hydration policy defines when the file is hydrated, i.e. filled with cloud data. For example, if the policy is set to CF_HYDRATION_POLICY_FULL the file or directory is fully downloaded when requested (even if only one byte has been requested). In case of CF_HYDRATION_POLICY_ALWAYS_FULL the de-hydration, i.e. the file content being discarded, operations will fail. CF_POPULATION_POLICY : The population policy defines how the directories should be populated, i.e. when the files contained in them should be downloaded. For example, if it is set to CF_POPULATION_POLICY_ALWAYS_FULL then the directory is kept updated with the cloud directory contents. In case of CF_POPULATION_POLICY_FULL the directory is fully populated when the user navigates to it. Finally, if the CF_POPULATION_POLICY_PARTIAL is set then the directory is populated downloading only information requested by the user during the navigation. The cldapi.dll is backed by the Cloud Files Minifilter driver, i.e. cldflt.sys , where all the functionalities are implemented through the file system filter features. Cloud Files Minifilter Driver The Cloud Files Minifilter driver ( cldflt.sys ) is provided by Microsoft to expose file system functionalities to cloud applications such as OneDrive . It is a file system filter driver and is registered to the Filter Manager by default. It is used through some I/O Control or major function types. It registers callbacks for the following MajorFunction codes: IRP_MJ_CREATE – File or directory create/open. IRP_MJ_CLEANUP – File or directory...