Microsoft has patched a serious security vulnerability in its Windows Cloud Files Minifilter driver, closing a loophole that could let attackers gain SYSTEM-level privileges on affected devices. The flaw, tracked as CVE-2025-55680, carries a CVSS 3.1 score of 7.8, marking it as a high-severity threat. While not yet widely exploited, researchers believe it's "exploitation more likely," meaning attackers could easily weaponize it.
The Vulnerability: A Race Condition in the Cloud Files Minifilter
At the heart of this issue is a race condition inside cldflt.sys—the Cloud Files Minifilter driver used by Windows features such as OneDrive's Files On-Demand.
This driver allows files stored in the cloud to appear as placeholders on a user's local system, downloading them on demand when accessed. To make this work, Windows uses the CfCreatePlaceholders function, which manages file creation and synchronization.
The problem occurs during this placeholder creation process. A specific function, HsmpOpCreatePlaceholders, first validates the filename supplied by the user. However, there's a brief gap—known as a time-of-check to time-of-use (TOCTOU) window—between validation and file creation.
Attackers can exploit this moment to alter the filename buffer in memory, effectively redirecting the driver to write files into restricted directories such as C:\Windows\System32. Once there, malicious DLL files could be side-loaded by legitimate system processes, giving the attacker full control of the machine.
How Attackers Could Exploit It
The attack doesn't require administrator rights. In fact, it only needs low-privilege access and a bit of timing precision. Researchers describe it as a multi-threaded race:
Once the timing "race" is won, the attacker can drop a malicious DLL into a privileged location, such as System32, where it can be automatically loaded by trusted Windows services. This leads to kernel-level code execution—the holy grail of privilege escalation.
Affected Systems
According to Akati Sekurity, the flaw affects a wide range of Windows 10, Windows 11, and Windows Server versions, including both x64 and ARM64 builds.
Windows 11:
Windows 10:
Windows Server:
The broad scope highlights how deeply integrated the Cloud Files Minifilter driver is across Microsoft's ecosystem.
Recommended Fixes and Mitigations
Microsoft addressed CVE-2025-55680 in the October 2025 Patch Tuesday update, urging all users to apply the patch immediately.
You can find full details in the official advisory:
Microsoft Security Update Guide – CVE-2025-55680
Additional mitigations include:
C:\Windows\System32.For enterprises, enforcing strict least-privilege access policies and continuously auditing sync-root operations can significantly reduce exposure.
The Bigger Picture
While this may seem like another patch in a long list of Microsoft security updates, it highlights a recurring challenge in operating system design—the intersection of user and kernel space.
As organizations increasingly rely on cloud integration, vulnerabilities in synchronization frameworks like OneDrive's Files On-Demand become more attractive targets for attackers. Kernel-level flaws like CVE-2025-55680 demonstrate how even minor validation gaps can lead to catastrophic privilege escalation.
For now, applying the latest patch and tightening endpoint defenses remain the best lines of defense.
