CVE-2023-36904
📋 TL;DR
This vulnerability in the Windows Cloud Files Mini Filter Driver allows an authenticated attacker to gain SYSTEM-level privileges by exploiting a buffer overflow condition. It affects Windows systems with the vulnerable driver component. Attackers must already have local access to exploit this privilege escalation flaw.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, persistence mechanisms, and lateral movement across the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls, install backdoors, or access protected system resources.
If Mitigated
Limited impact with proper privilege separation, application control policies, and endpoint protection that detects suspicious driver activity.
🎯 Exploit Status
Requires local authenticated access and knowledge of driver exploitation techniques. No public exploit code available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028185 for Windows 10, KB5028182 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36904
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS, Configuration Manager, or Intune. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Disable Cloud Files Mini Filter Driver
windowsTemporarily disable the vulnerable driver component if patching is not immediately possible
fltmc unload cldflt
🧯 If You Can't Patch
- Implement strict application control policies to prevent unauthorized driver loading
- Enforce principle of least privilege and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if cldflt.sys driver version is prior to July 2023 updates using: Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*cldflt*'} | Select-Object DeviceName, DriverVersionCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify cldflt.sys driver version is updated post-July 2023 patches and check Windows Update history for KB5028185/KB5028182 installation📡 Detection & Monitoring
Log Indicators:
- Event ID 4697: Service installation attempts
- Suspicious driver loading events in Security logs
- Privilege escalation patterns in endpoint detection logs
Network Indicators:
- Unusual outbound connections following local privilege escalation
- Lateral movement attempts from previously low-privilege accounts
SIEM Query:
source="windows_security" EventID=4697 | where DriverName="cldflt.sys"