CVE-2024-30085

HIGH

Windows Cloud Files Mini Filter Driver - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-30085. PoCs published by Adamkadaban, murdok1982, Alex Birnberg, ssd-disclosure, bwatters-r7, including Metasploit module exploits/windows/local/cve_2024_30085_cloud_files.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-30085, a heap-based overflow vulnerability in the Windows Cloud Filter (cldflt) driver affecting Windows 11 23H2. The exploit leverages ALPC communication and crafted reparse data buffers to trigger the vulnerability.

Description

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploits (3)

nomisec WORKING POC 8 stars
by Adamkadaban · poc
https://github.com/Adamkadaban/CVE-2024-30085

This repository contains a functional exploit for CVE-2024-30085, a heap-based overflow vulnerability in the Windows Cloud Filter (cldflt) driver affecting Windows 11 23H2. The exploit leverages ALPC communication and crafted reparse data buffers to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows 11 23H2 (cldflt.sys)
No auth needed
Prerequisites: Local access to a vulnerable Windows 11 23H2 system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by murdok1982 · poc
https://github.com/murdok1982/Exploit-PoC-para-CVE-2024-30085

The repository claims to be a PoC for CVE-2024-30085 but lacks technical details about the vulnerability. The code simulates interactions with a vulnerable API but does not demonstrate actual exploitation. The README includes donation requests and references an external file for technical details, which is not provided.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Theoretical
Reliability
Theoretical
Target: Unspecified Windows device driver
No auth needed
Prerequisites: Local access to a vulnerable Windows system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Alex Birnberg, ssd-disclosure, bwatters-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2024_30085_cloud_files.rb

This Metasploit module exploits a heap overflow vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve local privilege escalation on affected Windows versions. It injects a malicious DLL into a Notepad process to trigger the exploit.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Cloud Files Mini Filter Driver (cldflt.sys) on Windows 10/11 and Server 2019/2022
Auth required
Prerequisites: Local access to the target system · Meterpreter or shell session · 64-bit Windows OS
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.1513
EPSS Percentile 96.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-122
Status published
Products (9)
microsoft/windows_10_1809 < 10.0.17763.5936
microsoft/windows_10_21h2 < 10.0.19044.4529
microsoft/windows_10_22h2 < 10.0.19045.4529
microsoft/windows_11_21h2 < 10.0.22000.3019
microsoft/windows_11_22h2 < 10.0.22621.3737
microsoft/windows_11_23h2 < 10.0.22631.3737
microsoft/windows_server_2019 < 10.0.17763.5936
microsoft/windows_server_2022 < 10.0.20348.2522
microsoft/windows_server_2022_23h2 < 10.0.25398.950
Published Jun 11, 2024
Tracked Since Feb 18, 2026