Illustration of a broken Windows security shield, symbolizing a resurfaced vulnerability.

CybersecurityTrending

Old Windows bug grants SYSTEM access

TL;DR: A Windows vulnerability in the Cloud Filter driver, thought to be patched six years ago, is still exploitable. A security researcher has demonstrated a new method to exploit the flaw, allowing an attacker to gain full SYSTEM-level privileges on an affected machine.

By Neeraj DhimanCSO Online1h ago1 min readupdated 10m ago

Source

Key facts

Category: Cybersecurity
Impact: Low
Published: 1h ago
Source: CSO Online

Full summary

A previously 'patched' Windows bug has resurfaced, allowing attackers to gain the highest level of system access on affected machines.

A significant elevation-of-privilege vulnerability in the Windows Cloud Filter driver, cldflt.sys, has been found to be exploitable again, six years after Microsoft supposedly patched it. The flaw was originally discovered and reported by a Google Project Zero researcher in 2020. Recently, another security researcher revisited the issue and developed a new working exploit. This new method successfully bypasses the original fix, allowing an attacker to gain SYSTEM-level privileges on a vulnerable machine. It remains unclear whether the initial patch was ineffective or if it was unintentionally removed in a subsequent Windows update, but the vulnerability is now actively demonstrable.

The ability to gain SYSTEM privileges is a critical security risk. It gives an attacker the highest level of control over a Windows system, equivalent to the operating system itself. With this access, they can install persistent malware, access or exfiltrate sensitive data, disable security software, and move laterally across a network. The resurfacing of a 'patched' vulnerability also raises serious questions about the long-term effectiveness of security fixes and the potential for regression in complex codebases. IT and security teams should be aware that a previously mitigated threat may have re-emerged, requiring renewed vigilance and monitoring for suspicious activity.

Why it matters

A 'patched' vulnerability becoming exploitable again undermines trust in security fixes. Gaining SYSTEM-level access allows an attacker to completely compromise a machine, posing a severe risk to data integrity and network security.

Business impact

Compromised systems can lead to data breaches, operational downtime, and significant financial and reputational damage. The exploit could be used as a key step in a larger ransomware or corporate espionage attack, making it a high-priority concern for all businesses running Windows.

Action checklist

1Monitor Microsoft security advisories for an official patch.
2Ensure endpoint detection and response (EDR) solutions are active and updated.
3Review and enforce the principle of least privilege for user accounts.
4Keep systems updated with the latest general security patches from Microsoft.