The Cloud Files Minifilter drivers a core component of Windows features like **OneDrive’s Files On-Demand**. It allows cloud-stored files to appear as local placeholders that seamlessly “hydrate” (download) when accessed. Sync root directories, registered via the **CfRegisterSyncRoot API**, enforce policies for how these files and directories are presented and downloaded. The driver operates in **kernel mode**, intercepting file operations like creation, reading, and writing to ensure secure integration with the cloud service. This tight coupling between user-space APIs and kernel handling of file creation, specifically through functions like **CfCreatePlaceholders**, is where the risk of input validation errors arises.
The vulnerability, tracked as CVE-2025-55680 (with a CVSS score of 7.8), is rooted in the $HsmpOpCreatePlaceholders$ function within the $cldflt.sys$ driver. This function is triggered when an application attempts to create file placeholders under a sync root. Initially, the function maps the user-supplied filename buffer (called relName) into the kernel space using $IoAllocateMdl$ and $MmMapLockedPagesSpecifyCache$, creating a shared view of the physical memory. The vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) flaw: the driver validates the $relName$ for forbidden characters (such as $’\setminus’$ or $’:’$) but a narrow window of opportunity exists between this check and the final file creation call, $FltCreateFileEx2$.
An attacker with only **low-level privileges** can exploit this TOCTOU weakness by coordinating **multiple threads**. One thread continuously spams the $CfCreatePlaceholders$ API with a benign file payload, while a “racing” thread monitors the shared memory buffer. Just after the kernel validates the $relName$ but before it creates the file, the racing thread quickly alters a single byte in the mapped buffer. For instance, it can change a benign character in a string like “JUSTASTRINGDnewfile.dll” to a backslash, effectively transforming it to **”JUSTASTRING\newfile.dll”**.
An attacker with only low-level privileges can exploit this TOCTOU weakness by coordinating multiple threads. One thread continuously spams the $CfCreatePlaceholders$ API with a benign file payload, while a “racing” thread monitors the shared memory buffer. Just after the kernel validates the $relName$ but before it creates the file, the racing thread quickly alters a single byte in the mapped buffer. For instance, it can change a benign character in a string like “JUSTASTRINGDnewfile.dll” to a backslash, effectively transforming it to “JUSTASTRING\newfile.dll”.
Once the malicious DLL is placed in a directory like $System32$, the attacker can achieve **DLL side-loading** by having a legitimate service or process load their unauthorized code, resulting in **code execution in the kernel context (SYSTEM-level access)**. Discovered in March 2024 by Exodus Intelligence, Microsoft addressed this flaw in the **October 2025 Patch Tuesday updates**. While no widespread in-the-wild exploitation has been confirmed, experts rate its exploitability as “more likely” due to its straightforward nature. Microsoft urges **immediate patching**, and enterprises should also audit OneDrive usage and enforce strict **least-privilege policies** to minimize local threats, underscoring the dangers of kernel flaws that bridge user and system processes.
Reference:
