Analysis Summary

A newly disclosed high-severity privilege-escalation bug (CVE-2025-55680, CVSS High) affects the Windows Cloud Files Mini Filter Driver (cldsync.sys). The flaw lets a local, authenticated attacker bypass file-write protections and create files inside protected system directories with kernel-level privileges, enabling full SYSTEM compromise. Researchers attribute exploitation reports to ssd-disclosure; the attack is reliable in practice because it abuses a timing vulnerability rather than a rare memory corruption bug, so organizations should treat it as urgent.

At root the problem is a logical TOCTOU (time-of-check/time-of-use) race in the driver’s placeholder creation path. The vulnerable call chain is HsmFltProcessHSMControl → HsmFltProcessCreatePlaceholders → HsmpOpCreatePlaceholders, where the driver validates a pathname (blocking backslash and colon characters to stop symbolic-link abuse) but performs the actual file operation later. An attacker can flip the pathname buffer in kernel memory in the window between validation and use, allowing crafted paths (for example, ones that target C:\Windows\System32) to slip through the checks.

The exploitation sequence is multi-threaded and straightforward: an attacker starts the Remote Access Service (rasman) and creates a cloud file sync root via the Cloud Files API, opens the Cloud Files Filter driver using DeviceIoControl to establish a port with the filter manager, then races two threads one repeatedly changing the kernel memory path string and the other issuing file-creation requests. When the timing lines up the driver creates placeholder files with elevated privileges; attackers then write malicious DLLs (examples reported include rasmxs.dll) into protected locations and trigger privileged services via RPC to load the tampered libraries, achieving code execution and persistence inside legitimate system processes.

Because this attack requires only local authenticated access but reliably results in SYSTEM privileges and persistence, it represents a serious risk. Immediate mitigations are: apply vendor patches as soon as they become available; restrict and audit accounts that have local logon privileges; monitor unusual DeviceIoControl activity and rasman/service behavior; enforce application and code integrity (Windows Defender Application Control, driver signing policies); and use file-integrity monitoring for system directories to detect unexpected DLL drops. In addition, defenders should look for rapid repeated memory-write patterns or unusual placeholder creation calls as indicators of the race-condition exploit.

Impact

• Privilege Escalation
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-55680

Remediation

• Apply vendor patch install Microsoft’s security update for CVE-2025-55680 on all affected systems as the top priority.
• Isolate high-risk hosts temporarily remove vulnerable endpoints from trusted networks (or restrict network access) until patched.
• Limit local logon disable interactive/local logon for accounts that don’t need it; enforce least privilege for all users.
• Restrict rasman usage if Remote Access Connection Manager (rasman) is not required, stop and disable the service until you patch (test impact first for VPNs).
• Harden privileged service use restrict which users/groups can start/stop services and call RPC endpoints that load DLLs.
• Disable or remove unnecessary cloud sync roots remove any unneeded Cloud Files sync roots or accounts that create placeholders.
• Block access to the Cloud Files driver use group policy / endpoint controls to restrict user access to DeviceIoControl interfaces targeting the Cloud Files driver where possible.
• Apply application control enable WDAC/AppLocker or Smart App Control to block unsigned or unexpected DLL loads into system processes.
• Enforce driver and kernel signing require kernel-mode code signing and enable HVCI/Memory Integrity features where supported.