CVE-2024-30085 is a local elevation-of-privilege vulnerability in the Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). The provided content describes the bug as a heap-based buffer overflow in the HsmIBitmapNORMALOpen function. In the vulnerable path, cldflt.sys allocates a fixed 0x1000-byte paged-pool HsBm object and then performs a memcpy using attacker-controlled reparse-point-derived data and attacker-influenced memcpy_size without properly validating that the copy length does not exceed the allocation size. By crafting malicious cloud-file reparse point data, including use of IO_REPARSE_TAG_CLOUD_6, an attacker can trigger an out-of-bounds write in kernel paged pool memory. The exploitation chain described uses the overflow to corrupt adjacent kernel objects, including _WNF_STATE_DATA objects, to obtain out-of-bounds read/write, leak kernel pointers, corrupt a PipeAttribute object for arbitrary read, and then abuse forged ALPC-related structures to achieve arbitrary kernel write. The final stage overwrites token privileges and spawns a shell as NT AUTHORITY\SYSTEM.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a Python proof-of-concept (PoC) exploit for CVE-2024-30085, a local privilege escalation vulnerability in Microsoft Windows. The main exploit file, CVE202430085.py, simulates interaction with a vulnerable device or driver via the Windows API (CreateFileW and DeviceIoControl). The script attempts to open a handle to a device at \\.\vulnerable_device and sends a specific control code (0x222003) to trigger the vulnerability. If successful, it launches a command shell (cmd.exe) with elevated privileges. The exploit requires local access as a standard user on a vulnerable Windows system. The repository also includes a detailed explanation of the vulnerability and exploitation steps (Explicacion.txt) and a README summarizing the exploit's purpose. No network endpoints are present; the attack vector is local, targeting a device or driver accessible on the Windows system.
This repository contains a proof-of-concept (PoC) exploit for CVE-2024-30085, a heap-based buffer overflow vulnerability in the Windows cloud filter driver (cldflt.sys) affecting Windows 11 23H2. The exploit is implemented in C++ across two main files: 'main.cpp' (the core exploit logic) and 'main.h' (definitions and structures). The exploit leverages low-level Windows APIs and ALPC (Advanced Local Procedure Call) primitives to manipulate kernel memory and escalate privileges. Upon successful exploitation, it spawns a new command prompt (cmd.exe) with SYSTEM privileges, demonstrating local privilege escalation. The exploit requires local execution on a vulnerable Windows 11 23H2 system and does not target network services. Notable hardcoded file paths include the payload path ('C:\Windows\System32\cmd.exe') and target directories used during exploitation. The repository is a standalone PoC and not part of any exploit framework.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Unknown (referenced as a Windows local exploit module name in Metasploit; no vulnerability details are provided in the content).
A heap-based buffer overflow in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that can be triggered via crafted reparse point data, enabling kernel memory corruption and local privilege escalation to SYSTEM.
A privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver.
Windows Cloud Files Mini Filter Driver (cldflt.sys) elevation of privilege enabling post-compromise escalation to SYSTEM; assessed as more likely to be exploited.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.