CVE-2022-35757
📋 TL;DR
This vulnerability in the Windows Cloud Files Mini Filter Driver allows attackers to gain SYSTEM-level privileges on affected Windows systems. It affects Windows 10, 11, and Server versions where the driver is present. Successful exploitation requires an attacker to already have local access to the system.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h1 by Microsoft
Windows 10 21h1 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence mechanisms.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and execute arbitrary code.
If Mitigated
Limited impact with proper patch management and endpoint protection that detects privilege escalation attempts.
🎯 Exploit Status
Exploitation requires local access and standard user privileges. The vulnerability is in a driver component, making exploitation relatively straightforward for attackers with local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: August 2022 security updates (KB5016616 for Windows 10, KB5016623 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35757
Restart Required: Yes
Instructions:
1. Apply August 2022 Windows security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or Intune. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Disable Cloud Files Mini Filter Driver
windowsTemporarily disable the vulnerable driver to prevent exploitation
fltmc unload cldflt
sc config cldflt start= disabled
🧯 If You Can't Patch
- Implement strict endpoint detection and response (EDR) to monitor for privilege escalation attempts
- Restrict local administrative privileges and implement least privilege access controls
🔍 How to Verify
Check if Vulnerable:
Check if the system has the vulnerable cldflt.sys driver version. Use: Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\cldflt' -Name ImagePathCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify August 2022 security updates are installed: wmic qfe list | findstr "50166" or check System Information for update KB numbers📡 Detection & Monitoring
Log Indicators:
- Event ID 4697 (Service Installation) for cldflt.sys
- Unexpected privilege escalation events
- Suspicious driver loading
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
EventID=4697 AND ServiceFileName="*cldflt*" OR ProcessName="*cldflt*"