CVE-2020-17103: Local Privilege Escalation in Windows Cloud Files Mini Filter Driver

CVE-2020-17103 is a local privilege escalation vulnerability located in the Windows Cloud Files Mini Filter Driver, cldflt.sys. This driver facilitates interactions with cloud-backed storage solutions such as OneDrive and Work Folders. The driver exposes specific functionality to user-space applications through the undocumented CfAbortHydration API.

The vulnerability is categorized as a race condition (CWE-362) that subsequently leads to improper privilege management (CWE-269). The driver processes requests to abort hydration operations by writing state data to the registry. Flaws in the registry key creation logic allow standard users to manipulate the target registry hive.

Exploiting this vulnerability grants local attackers the ability to write arbitrary data to the .DEFAULT user registry hive. The .DEFAULT hive is utilized by the local system account during early boot stages and service execution. Modifying specific keys within this hive yields code execution running in the context of NT AUTHORITY\SYSTEM.

The core logical failure resides in the HsmOsBlockPlaceholderAccess function within cldflt.sys. This function handles state changes for cloud file placeholders and calls HsmiOsOpenAppPolicyKey to manage associated registry keys. The HsmiOsOpenAppPolicyKey routine initiates registry key creation without asserting the OBJ_FORCE_ACCESS_CHECK flag.

Omitting this flag instructs the Windows kernel to bypass standard security descriptor validation for the caller. The kernel trusts the driver's system-level context rather than validating against the low-privileged user token initiating the request. This missing security check is a critical prerequisite for the subsequent registry overwrite.

The driver utilizes the RtlOpenCurrentUser kernel function to locate the appropriate registry hive for the current user. If RtlOpenCurrentUser returns the STATUS_OBJECT_NAME_NOT_FOUND error code, the driver implements a fallback mechanism. This fallback mechanism incorrectly assumes it is operating in a system context and redirects the handle to the .DEFAULT hive.

A local attacker controls the return value of RtlOpenCurrentUser by manipulating their thread's impersonation token. Toggling an anonymous token on and off forces the function to fail to locate the user profile. The combination of the forced fallback and the missing access check creates the exploitable state.

The vulnerability requires precise timing to exploit the race condition during the driver API invocation. An attacker application spawns multiple execution threads to invoke the CfAbortHydration API concurrently. Simultaneously, secondary threads repeatedly apply and remove an anonymous impersonation token on the primary calling thread.

When the driver reaches the RtlOpenCurrentUser call, the thread must hold the anonymous token. The anonymous token lacks an associated loaded user hive, causing the call to fail and trigger the .DEFAULT hive fallback. Immediately after this check, the thread must revert to the standard user token before the driver attempts to construct the specific registry subkeys.

// Pseudo-code representation of the vulnerable driver logic
NTSTATUS HsmiOsOpenAppPolicyKey(...) {
    HANDLE hUserHive;
    // Attacker race window: Thread holds anonymous token
    NTSTATUS status = RtlOpenCurrentUser(KEY_WRITE, &hUserHive);
 
    if (status == STATUS_OBJECT_NAME_NOT_FOUND) {
        // Fallback path executed due to anonymous token
        InitializeObjectAttributes(&ObjAttr, &DefaultHivePath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
        // Missing OBJ_FORCE_ACCESS_CHECK
    }
    
    // Attacker race window ends: Token reverted to standard user
    // Driver proceeds to write attacker-controlled data to the established handle
    return ZwCreateKey(&hAppPolicyKey, KEY_WRITE, &ObjAttr, ...);
}

The successful execution of this sequence results in the attacker-controlled data being written into the .DEFAULT hive rather than the user's local profile. The lack of the OBJ_FORCE_ACCESS_CHECK flag guarantees the ZwCreateKey call succeeds despite the attacker's actual privileges.

The exploitation phase capitalizes on the registry write primitive to achieve arbitrary code execution. The primary target for this primitive is the Volatile Environment subkey within the .DEFAULT hive. Modifying this specific key modifies environment variables processed by privileged system services upon initialization.

In May 2026, the MiniPlasma exploit was released by researcher Nightmare-Eclipse, validating the ongoing exploitability of this code path. The MiniPlasma implementation automates the thread toggling required to reliably win the race condition. The exploit establishes a payload within the .DEFAULT hive without triggering system instability.

The prerequisites for the attack are minimal, requiring only standard user code execution capabilities. The attack does not require administrative rights, network access, or specific system configurations beyond the presence of the cldflt.sys driver. The driver is enabled by default on modern Windows installations supporting OneDrive or Work Folders.

Upon system reboot or the restart of specific targeted services, the system processes the poisoned Volatile Environment variables. The system executes the specified attacker binary under the context of the local system account. This provides full administrative control over the targeted endpoint.

The security impact of CVE-2020-17103 is severe as it comprehensively breaches the local privilege boundary. A standard user account is elevated to the highest local privilege level available on the Windows operating system. The resulting execution context allows for the termination of security software, extraction of protected credentials, and installation of persistent kernel-mode rootkits.

The vulnerability possesses a CVSS v3.1 base score of 7.0, derived from a high complexity vector (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). The high complexity designation accurately reflects the race condition requirement, which necessitates multiple execution attempts to succeed. However, because the attack vector is local, the attacker commands sufficient control over the execution environment to ensure reliable exploitation over time.

The EPSS score for this vulnerability is 0.00352, indicating a lower global probability of exploitation compared to network-facing vulnerabilities. Despite this low statistical probability, the public availability of the weaponized MiniPlasma exploit significantly increases the risk for organizations with untrusted local users. The vulnerability is highly relevant for multi-tenant environments, remote desktop servers, and shared workstations.

The impact is amplified by the widespread deployment of the vulnerable component across the Windows ecosystem. The cldflt.sys driver is active across consumer and enterprise builds of Windows 10 and Windows Server. The regression observed in 2026 demonstrates the difficulty of definitively mitigating complex race conditions within deeply integrated kernel components.

Mitigating CVE-2020-17103 requires the application of official vendor security updates across all affected Windows versions. Microsoft initially addressed the vulnerability in the December 2020 Update Tuesday cycle. Given the 2026 regression documentation, administrators must verify that subsequent cumulative updates accurately address the race condition in their specific deployment rings.

In environments where immediate patching is unfeasible, a functional workaround exists by disabling the vulnerable driver. The cldflt service manages the cloud files mini filter driver and can be disabled via standard service management tools. Disabling this service neutralizes the attack vector but directly breaks functionality for OneDrive placeholders and enterprise Work Folders.

Detection engineering teams should implement monitoring for unauthorized modifications to the HKEY_USERS\.DEFAULT registry hive. Standard user processes rarely interact directly with the Volatile Environment subkeys within this specific hive. Endpoint Detection and Response (EDR) solutions should alert on anomalous write operations to these paths originating from non-system executables.

Additional telemetry can be gathered by monitoring interactions with the Filter Communication Ports associated with cldflt.sys. High volumes of CfAbortHydration API calls originating from a single standard user process correlate strongly with the exploitation attempt. Combining registry monitoring with API call tracing provides robust detection capabilities against the MiniPlasma exploit implementation.