A critical security vulnerability in Microsoft Windows Cloud Minifilter has been patched, addressing a race condition that allowed attackers to escalate privileges and create files anywhere on the system.
The vulnerability, tracked as CVE-2025-55680, was discovered by security researchers at Exodus Intelligence in March 2024 and patched by Microsoft in October 2025.
Race Condition Allows System-Wide File Creation
The vulnerability exists in the Windows Cloud Minifilter driver (cldflt.sys), which provides file system functionality for cloud applications like OneDrive.
The flaw occurs in the HsmpOpCreatePlaceholders() function when processing requests to create placeholder files under synchronized directories.
| CVE ID | Vulnerability Type | Affected Component | CVSS 3.1 Score | Impact |
| CVE-2025-55680 | Race Condition / Time-of-Check Time-of-Use (TOCTOU) | Microsoft Windows Cloud Minifilter (cldflt.sys) | 7.8 (High) | Privilege Escalation – Arbitrary file creation leading to SYSTEM privileges |
Placeholder files are special files used by cloud sync services that automatically download content from the cloud when accessed by users.
The security issue stems from improper validation of filenames during placeholder creation.
When a user requests to create a placeholder file, the system checks whether the filename contains forbidden characters like backslash or colon.
However, researchers discovered a time window between when the filename is validated and when the file is actually created.
During this brief moment, attackers can modify the filename in memory to bypass the security checks.
Exploiting the Time-of-Check Time-of-Use Weakness
Attackers can exploit this time-of-check time-of-use vulnerability by running multiple threads simultaneously.
While some threads repeatedly request placeholder creation with seemingly harmless filenames, other threads rapidly change characters in the filename buffer.
If timed correctly, the malicious filename alteration occurs after validation but before file creation, allowing attackers to create files in protected system directories like C:\Windows\System32.
By creating malicious DLL files in system directories, attackers can leverage DLL side-loading techniques to execute code with elevated SYSTEM privileges.
This attack requires only low-level privileges to begin, making it particularly dangerous for systems where multiple users have access.
The vulnerability affects the Cloud Files Minifilter driver’s handling of the CfCreatePlaceholders() API function.
This function is used by cloud sync providers to create placeholder files representing cloud-stored content.
The driver processes these requests through I/O control code 0x903BC with specific parameters indicating placeholder creation operations.
Security researchers note this vulnerability relates to an earlier flaw, CVE-2020-17136, which was patched with filename validation checks.
However, the implementation of these checks contained the race condition weakness that enabled CVE-2025-55680.
System administrators should ensure Windows systems receive the October 2025 security updates to protect against exploitation.
Organizations using cloud synchronization services should prioritize patching systems with sync root directories configured, as these are necessary preconditions for successful exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
