A privilege escalation flaw in Windows Cloud Files Mini Filter Driver has been discovered, allowing local attackers to bypass file write protections and inject malicious code into system processes.
Security researchers have uncovered CVE-2025-55680, a high-severity privilege-escalation vulnerability in the Windows Cloud Files Mini Filter Driver.
The flaw exists in the Cloud Files Filter (cldsync.sys) driver’s handling of file path validation during placeholder file creation operations.
Specifically, the vulnerability resides in the call chain: HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders.
Microsoft previously patched a similar file write vulnerability reported by Project Zero in 2020. However, the current implementation contains a critical logical flaw.
While Microsoft added code to prevent backslash ($$ and colon (:)) characters in file paths from being used to block symbolic link attacks, the validation check can be bypassed through a Time-of-Check Time-of-Use (TOCTOU) race condition.
Attackers can modify the path string in kernel memory between the validation check and the actual file operation, allowing malicious paths to pass through security controls.
