ThreatLevelBeta
Fix Soon

CVE-2020-17103

Local Privilege Escalation in Windows Cloud Files Mini Filter Driver
Loading...

Summary

Windows Cloud Files mini filter driver (cldflt.sys) mishandles a placeholder and hydration code path, allowing a local attacker to elevate privileges. Public PoC code weaponizes the original research and reports that it can spawn a SYSTEM shell on fully patched Windows systems, though reliability may vary because the trigger is race-prone. Successful exploitation gives the attacker SYSTEM-level control on the host.

Why Fix Soon?

5/6
Domain user required (treated as pre-auth on internal network)
Internal deployment
No user interaction needed
Exploitable in default configuration
Public PoC available
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
domain user
PoC / Exploit
Yes
github.com
Impact

Escalate from a low-privileged local user to SYSTEM privileges on the Windows host.

Privilege Escalation
Exploitation Requirements
  • Authentication required (domain user)
Exploitation Process

An attacker starts from a normal local Windows user account on an affected build, then runs the MiniPlasma trigger against cldflt.sys. The exploit drives the HsmOsBlockPlaceholderAccess placeholder/hydration path and related registry-key creation logic until the race window succeeds. When the trigger lands, the attacker obtains a SYSTEM shell or equivalent elevated code execution.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
WindowsWindows 10 version 1903, 1909, 2004, and 20H2; Windows Server version 1903, 1909, 2004, and 20H2; Windows Server 2019
Description

Microsoft Windows is the desktop and server operating system platform. The affected component is the Cloud Files mini filter driver (cldflt.sys), which supports cloud-backed placeholder and hydration behavior used by features such as OneDrive.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentCloud Files mini filter driver (cldflt.sys), especially the HsmOsBlockPlaceholderAccess path used for placeholder and hydration handling.

Cloud Files mini filter driver (cldflt.sys), especially the HsmOsBlockPlaceholderAccess path used for placeholder and hydration handling.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install the December 2020 Windows security updates or later for the affected Windows 10 and Windows Server releases to address CVE-2020-17103.

Install the December 2020 Windows security updates or later for the affected Windows 10 and Windows Server releases to address CVE-2020-17103.

msrc.microsoft.com
Threat Intelligence
EPSS Score0.3%

Probability of exploitation in the next 30 days

EPSS Percentile56%

Worse than 56% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules1
KQL
DeviceRegistryEvents | where ActionType in ("RegistryKeyCreated", "RegistryValueSet") and (RegistryKey has @"\Registry\User\.DEFAULT\Volatile Environment" or RegistryKey has @"\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps")

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

CVSS Base Score

7.0
High

CVSS Vector (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-269 Improper Privilege Management
|
NVD:CVE-2020-17103
|
Version From:
|
Version Upto:

Affected Software (CPE) (13)

  • cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*

Sources

6
SourceArticle
msrc.microsoft.comCVE-2020-17103
projectzero.googleHunting for Bugs in Windows Mini-Filter Drivers
www.bleepingcomputer.comNew Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released
github.comMiniPlasma
nvd.nist.govCVE-2020-17103 Detail
www.tenable.comCVE-2020-17103

Priority History

Fix SoonLoading...

Initial analysis