{"uuid": "d364c42a-5d9b-4b3c-9d06-38c3d1788726", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://gist.github.com/alon710/94f16ff078ba1aff29867d2bba3993ff", "content": "# CVE-2020-17103: CVE-2020-17103: Local Privilege Escalation in Windows Cloud Files Mini Filter Driver\n\n> **CVSS Score:** 7.0\n> **Published:** 2020-12-09\n> **Full Report:** https://cvereports.com/reports/CVE-2020-17103\n\n## Summary\nCVE-2020-17103 is a local privilege escalation vulnerability located in the Windows Cloud Files Mini Filter Driver (cldflt.sys). An exploitable race condition during the handling of impersonation tokens allows a standard local user to write arbitrary data to the .DEFAULT registry hive, leading to SYSTEM-level code execution.\n\n## TL;DR\nA race condition in the Windows Cloud Files Mini Filter driver allows local attackers to elevate privileges to SYSTEM by abusing registry handle fallbacks during impersonation token toggling.\n\n## Exploit Status: WEAPONIZED\n\n## Technical Details\n\n- **CWE ID**: CWE-362\n- **Attack Vector**: Local\n- **CVSS v3.1**: 7.0 (High)\n- **EPSS Score**: 0.35%\n- **Impact**: Arbitrary Code Execution as SYSTEM\n- **Exploit Status**: Weaponized\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Windows 10 Version 1803\n- Windows 10 Version 1809\n- Windows 10 Version 1903\n- Windows 10 Version 1909\n- Windows 10 Version 2004\n- Windows 10 Version 20H2\n- Windows Server 2004\n- Windows Server 20H2\n- Windows Server 2016\n- Windows Server 2019\n- Windows Server Core 1903\n- Windows Server Core 1909\n- **Windows 10**: 1803 - 20H2\n- **Windows Server**: 2016 - 2019\n- **Windows Server Core**: 1903 - 1909\n\n## Mitigation\n\n- Apply Microsoft Security Updates released in and after December 2020\n- Validate patching status for regressions reported in May 2026\n- Disable the cldflt service if Cloud Files functionality is unused\n\n**Remediation Steps:**\n1. Identify all endpoints running Windows 10 (1803-20H2) and Windows Server (2016-2019).\n2. Deploy the latest Cumulative Updates to all identified systems via SCCM, WSUS, or Intune.\n3. Monitor patch compliance and restart endpoints to apply kernel modifications.\n4. If patching cannot be performed, test disabling the 'cldflt' service and ensure business processes do not rely on OneDrive placeholders.\n\n## References\n\n- [MSRC Advisory CVE-2020-17103](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17103)\n- [Project Zero Bug Report](https://project-zero.issues.chromium.org/issues/42451192)\n- [Project Zero Technical Blog](https://projectzero.google/2021/01/hunting-for-bugs-in-windows-mini-filter.html)\n- [MiniPlasma Exploit Repository](https://github.com/Nightmare-Eclipse/MiniPlasma)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2020-17103) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T05:20:50.000000Z"}