A privilege escalation flaw in Home windows Cloud Information Mini Filter Driver has been found, permitting native attackers to bypass file write protections and inject malicious code into system processes.
Safety researchers have uncovered CVE-2025-55680, a high-severity privilege-escalation vulnerability within the Home windows Cloud Information Mini Filter Driver.
The flaw exists within the Cloud Information Filter (cldsync.sys) driver’s dealing with of file path validation throughout placeholder file creation operations.
Particularly, the vulnerability resides within the name chain: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders.
Microsoft beforehand patched an identical file write vulnerability reported by Challenge Zero in 2020. Nevertheless, the present implementation incorporates a important logical flaw.
Whereas Microsoft added code to forestall backslash ($$ and colon (:)) characters in file paths from getting used to dam symbolic hyperlink assaults, the validation verify may be bypassed by way of a Time-of-Examine Time-of-Use (TOCTOU) race situation.
Attackers can modify the trail string in kernel reminiscence between the validation verify and the precise file operation, permitting malicious paths to cross by way of safety controls.
How the Exploit Works
The exploitation method requires a number of coordinated steps. First, attackers begin the Distant Entry Service (rasman) and create a cloud file sync root utilizing the Cloud Information API.
Subsequent, they hook up with the Cloud Information Filter driver by way of DeviceIoControl calls and set up a communication port with the filter supervisor.
The attacker then creates a thread that repeatedly modifies a path string in kernel reminiscence, altering it from an harmless filename to a symbolic hyperlink pointing to system directories like C:WindowsSystem32.
Whereas one thread performs file-creation operations, one other thread quickly modifies the reminiscence location, exploiting the race situation window between the safety verify and file creation.
CVE IDVulnerability TypeAffected ComponentCVSS ScoreCVE-2025-55680Privilege EscalationWindows Cloud Information Mini Filter Driver (cldsync.sys)7.8
When the timing aligns completely, the driving force creates recordsdata with elevated kernel-mode entry privileges, bypassing customary entry controls.
Attackers weaponize this by writing malicious DLLs, resembling rasmxs.dll, into protected system directories. Leveraging RPC calls to pressure privileged companies to load the compromised library, leading to full system compromise, as reported by ssd-disclosure.
This vulnerability represents a critical privilege escalation danger for Home windows methods. The assault requires native system entry however delivers full privilege escalation capabilities.
Any authenticated person can probably exploit this flaw to achieve SYSTEM-level privileges and preserve persistence by way of professional system processes.
Organizations working weak Home windows variations ought to prioritize patching instantly, because the exploitation method is simple and dependable.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
