Exploitation for Priv-Esc × Microsoft Windows Cloud Filter driver (cldflt.sys)

A publicly-reported instance of Exploitation for Priv-Esc bypassing Microsoft Windows Cloud Filter driver (cldflt.sys), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Cloud Filter driver (cldflt.sys)

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

poc

Disclosed

2026-05-18

Config / version noted

Not stated

Provenance

www.csoonline.com
disclosed 2026-05-18 · original source · via brave
csoonline.com
disclosed 2026-05-18 · original source · via brave

Reported as

The vulnerability is a regression in the Cloud Filter driver that enables a local attacker to exploit a previously patched flaw to escalate privileges to SYSTEM.

Mechanism

The vulnerability is a regression in the Cloud Filter driver that enables a local attacker to exploit a previously patched flaw to escalate privileges to SYSTEM. It defeats the original patch, allowing privilege escalation on fully updated systems.

Detection & mitigation

Monitor for unexpected SYSTEM-level processes spawned from low-integrity or user-mode processes, especially those interacting with cldflt.sys. Apply the latest security patches from Microsoft as soon as they are available to remediate the regression.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.