A critical vulnerability in Microsoft’s Windows Cloud Files Mini Filter Driver has been exploited to enable local privilege escalation, allowing attackers with limited access to gain SYSTEM-level control over affected systems.
Tracked as CVE-2025-55680, this time-of-check to time-of-use (TOCTOU) race condition was disclosed at the TyphoonPWN 2025 hacking competition, where it secured first place in the Windows category.
The flaw affects Windows versions prior to the October 2025 security updates and carries a CVSS v3.1 score of 7.8, highlighting its high severity for local authenticated users.
Discovery and Background
Security researchers uncovered CVE-2025-55680 during March 2024 investigations, but it remained unpatched until Microsoft’s October 2025 Patch Tuesday release on October 14.
The issue builds on a 2020 Project Zero report (CVE-2020-17136) involving arbitrary file writes in the Cloud Files driver, which handles synchronization for services like OneDrive.
Microsoft attempted to mitigate the earlier flaw by adding path validation code in the HsmFltProcessHSMControl function to block backslashes and colons, preventing symbolic link attacks.
However, this check occurs before memory mapping via MmProbeAndLockPages, creating a TOCTOU window where attackers can alter paths post-validation.
The vulnerability’s call chain HsmFltProcessHSMControl to HsmFltProcessCreatePlaceholders to HsmpOpCreatePlaceholders exposes the driver to race conditions during placeholder file creation in cloud-synced directories.
Discovered amid TyphoonPWN’s focus on real-world exploits, it demonstrates how kernel-mode file system mini-filters remain prime targets for elevation-of-privilege attacks in enterprise environments.
Technical Exploitation Breakdown
Attackers exploit the flaw by registering a sync root with CfRegisterSyncRoot, creating directories like C:\ProgramData\cldpwn, and setting up symbolic links via junctions and DOS device symlinks to target system files such as C:\Windows\System32\rasmxs.dll.
Using DeviceIoControl with IOCTL 0x903BC, they invoke CfCreatePlaceholders while racing a thread to modify the path buffer changing “boo16.txt” to “boo\6.txt” containing forbidden characters.
This bypasses validation, triggering FltCreateFileEx in kernel mode without access checks, effectively writing arbitrary files.
In the proof-of-concept, a low-privileged process starts the rasman service, connects via FilterConnectCommunicationPort, and loops placeholder creation while a concurrent thread alters memory.
Upon detecting the overwritten rasmxs.dll, the exploit copies a malicious DLL (test.dll) and loads it via RPC to RasMan’s LoadDeviceDLL, achieving escalation.
The full chain requires no user interaction but demands local execution, making it dangerous in multi-user or compromised scenarios.
Mitigation and Vendor Response
Microsoft has patched CVE-2025-55680 in the October 2025 updates, urging immediate deployment to block the race condition through enhanced synchronization in cldflt.sys.
Organizations should prioritize endpoint detection for anomalous driver interactions and enforce least-privilege policies via tools like AppLocker.
While no wild exploits are confirmed, the flaw’s simplicity in controlled races underscores the need for rapid patching in cloud-integrated Windows deployments.
