DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2020-17103: CVE-2020-17103: Local Privilege Escalation in Windows Cloud Files Mini Filter Driver

#security #cve #cybersecurity

CVE-2020-17103: Local Privilege Escalation in Windows Cloud Files Mini Filter Driver

Vulnerability ID: CVE-2020-17103
CVSS Score: 7.0
Published: 2020-12-09

CVE-2020-17103 is a local privilege escalation vulnerability located in the Windows Cloud Files Mini Filter Driver (cldflt.sys). An exploitable race condition during the handling of impersonation tokens allows a standard local user to write arbitrary data to the .DEFAULT registry hive, leading to SYSTEM-level code execution.

TL;DR

A race condition in the Windows Cloud Files Mini Filter driver allows local attackers to elevate privileges to SYSTEM by abusing registry handle fallbacks during impersonation token toggling.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-362
  • Attack Vector: Local
  • CVSS v3.1: 7.0 (High)
  • EPSS Score: 0.35%
  • Impact: Arbitrary Code Execution as SYSTEM
  • Exploit Status: Weaponized
  • KEV Status: Not Listed

Affected Systems

  • Windows 10 Version 1803
  • Windows 10 Version 1809
  • Windows 10 Version 1903
  • Windows 10 Version 1909
  • Windows 10 Version 2004
  • Windows 10 Version 20H2
  • Windows Server 2004
  • Windows Server 20H2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server Core 1903
  • Windows Server Core 1909
  • Windows 10: 1803 - 20H2
  • Windows Server: 2016 - 2019
  • Windows Server Core: 1903 - 1909

Exploit Details

  • GitHub (MiniPlasma): Functional Local Privilege Escalation exploit implementing the race condition against HsmOsBlockPlaceholderAccess.

Mitigation Strategies

  • Apply Microsoft Security Updates released in and after December 2020
  • Validate patching status for regressions reported in May 2026
  • Disable the cldflt service if Cloud Files functionality is unused

Remediation Steps:

  1. Identify all endpoints running Windows 10 (1803-20H2) and Windows Server (2016-2019).
  2. Deploy the latest Cumulative Updates to all identified systems via SCCM, WSUS, or Intune.
  3. Monitor patch compliance and restart endpoints to apply kernel modifications.
  4. If patching cannot be performed, test disabling the 'cldflt' service and ensure business processes do not rely on OneDrive placeholders.

References

Read the full report for CVE-2020-17103 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)