CVE-2023-29361 – This vulnerability in the Windows Cloud Files M... (How to Fix)

Q: What is the severity of CVE-2023-29361?

CVE-2023-29361 has a CVSS score of 7.0 (HIGH). This vulnerability in the Windows Cloud Files Mini Filter Driver allows an attacker to gain SYSTEM-level privileges on affected Windows systems. It affects Windows 10, 11, and Server versions where the Cloud Files feature is enabled. An attacker must already have local access to exploit this vulnerability.

📋 TL;DR

This vulnerability in the Windows Cloud Files Mini Filter Driver allows an attacker to gain SYSTEM-level privileges on affected Windows systems. It affects Windows 10, 11, and Server versions where the Cloud Files feature is enabled. An attacker must already have local access to exploit this vulnerability.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2019
Windows Server 2022

Versions: Multiple versions prior to May 2023 security updates

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Cloud Files feature (used by OneDrive, Dropbox, etc.) to be enabled, which is common in default configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and persistence mechanisms.

🟠

Likely Case

Local privilege escalation from a standard user or low-privileged account to SYSTEM, allowing lateral movement and persistence.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are enforced, though local attackers could still escalate privileges.

🌐 Internet-Facing: LOW - Requires local access; not directly exploitable over network.

🏢 Internal Only: HIGH - Local attackers or malware with initial foothold can exploit to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and some technical knowledge; no public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2023 security updates (KB5026361 for Windows 10, KB5026372 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29361

Restart Required: Yes

Instructions:

1. Apply May 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy updates through WSUS or SCCM. 3. Verify installation via winver or systeminfo.

🔧 Temporary Workarounds

Disable Cloud Files Mini Filter Driver

windows

Temporarily disable the vulnerable driver if patching isn't immediately possible

fltmc unload cldflt

🧯 If You Can't Patch

Implement strict least privilege access controls to limit local user accounts
Monitor for suspicious privilege escalation attempts using EDR/SIEM tools

🔍 How to Verify

Check if Vulnerable:

Check if May 2023 security updates are installed via 'systeminfo' or Windows Update history

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5026361 (Win10) or KB5026372 (Win11) is installed and system has been restarted

📡 Detection & Monitoring

Log Indicators:

Event ID 4697: Service installation attempts
Suspicious driver loading events
Privilege escalation patterns

Network Indicators:

Not applicable - local exploit only

SIEM Query:

EventID=4697 AND (ServiceFileName="*cldflt*" OR ServiceName="Cloud Files Filter Driver")

📊 Metadata

CVE ID: CVE-2023-29361

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 14, 2023

Last Updated: April 8, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29361 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29361 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29361, you might also want to check these: