Cyberdudebivash

Zero-Day Alert: Actively Exploited Windows Cloud Files Flaw (CVE-2023-36036) Grants Full SYSTEM Privilege

, , , ,
CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Oct 31, 2025 (IST)

Zero-Day Alert: Actively Exploited Windows Cloud Files Flaw (CVE-2023-36036) Grants Full SYSTEM Privilege

Microsoft’s November 2023 updates patched CVE-2023-36036 — an elevation-of-privilege bug in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that attackers are exploiting to gain SYSTEM. It’s tracked as High (CVSS 7.8) and appears broadly present across supported Windows versions. CyberDudeBivash Ecosystem:Apps & Services · Threat Intel (Blogger) · CryptoBivash · News Portal · Subscribe: ThreatWire

TL;DR — Prioritize Patching & Hunt for Local EoP

  • What: Local Elevation of Privilege in cldflt.sys (Windows Cloud Files). Actively exploited to gain SYSTEM
  • Status: Fixed by Microsoft in Nov 2023; added to CISA KEV (known exploited). 
  • Risk: Turns a foothold (phish, macro, low-priv shell) into full takeover of the host; common in post-exploitation chains.
  • Action: Patch, verify driver build, hunt for suspicious token/handle abuse, and lock down local attacker paths (LPE hardening, EDR).

Contents

  1. About CVE-2023-36036 (Cloud Files Mini Filter)
  2. Affected Versions & Why It’s Widely Risky
  3. Detections & Hunt Ideas (SOC/EDR/SIEM)
  4. Fix & Validation Checklist
  5. Enterprise Guardrails
  6. FAQ
  7. Sources

About CVE-2023-36036 (Cloud Files Mini Filter)

CVE-2023-36036 is an Elevation of Privilege flaw in Windows’ Cloud Files Mini Filter Driver that enables a local attacker to escalate to SYSTEM. Microsoft and multiple vendors confirm active exploitation in the wild. 

Affected Versions & Why It’s Widely Risky

  • Impacts **Windows 10 and later** and **Windows Server 2008 and later** per contemporary reporting; prevalence of the driver increases attack surface.
  • Classified **High (7.8)**; exploited to chain from user to **SYSTEM** in real-world attacks. 
  • Listed in **CISA KEV** with mitigation requirement to apply vendor fixes. 

Detections & Hunt Ideas (SOC/EDR/SIEM)

Because CVE-2023-36036 is a local EoP, focus on post-foothold signals:

  • Process ancestry to SYSTEM: Alert when low-priv user processes quickly spawn or inject into services.exelsass.exe, or spawn shells as NT AUTHORITY\SYSTEM without approved admin tools.
  • Driver/mini-filter anomalies: Monitor for unusual handle/IOCTL access to cldflt.sys around privilege-boundary changes (EDR telemetry).
  • Token abuse: Detect unexpected SeImpersonate/SeAssignPrimaryToken usage or service creation from non-admin SIDs shortly before a user becomes SYSTEM.
  • Persistence after EoP: New services, scheduled tasks, or drivers created within 5 minutes after an alert for suspicious privilege use.
# SIEM concept: burst of SYSTEM shells from standard user session
where user_role == "standard" and new_process.username == "SYSTEM"
and new_process.parent in {"cmd.exe","powershell.exe","wscript.exe"} within 2m

Fix & Validation Checklist

  1. Patch Windows with the November 2023 security updates (or later cumulative). Prioritize endpoints exposed to phishing or untrusted code execution. 
  2. Verify build: Confirm the updated cldflt.sys version per your OS baseline; ensure your EDR is not blocking the new driver.
  3. Reboot & retest: Ensure the new driver is loaded; run a post-patch validation playbook (basic least-priv user should not reach SYSTEM).
  4. Backport controls: If some hosts can’t be patched immediately, tighten software restriction policies/AppLocker, block unapproved drivers, and restrict local admin rights.
  5. Track KEV: Keep a live watchlist for CVE-2023-36036 in your vulnerability scanner/asset inventory. 

Enterprise Guardrails

  • Least-priv endpoints: Remove local admin where possible; enforce Just-In-Time admin and PAM for elevation.
  • Exploit chain breaks: Harden browser/email to reduce footholds; pair with script-control and WDAC to limit arbitrary binaries.
  • EDR prevention: Block suspicious driver loads; monitor mini-filter driver interactions; alert on rapid privilege transitions.
  • Patch hygiene: Treat **CVE-2023-36036**, **CVE-2023-36033** (DWM EoP), and **CVE-2023-36025** (SmartScreen bypass) as a set to reduce chained abuse. 

FAQ

Is CVE-2023-36036 still a “zero-day” today?

It was patched on Nov 14, 2023, but remains noteworthy because it’s confirmed exploited and frequently appears in post-exploitation chains on unpatched hosts. 

Does exploitation require admin or user interaction?

Reports indicate an attacker with local code execution can exploit the flaw to become SYSTEM, without additional user interaction.

Which Windows builds are covered?

Coverage spans Windows 10/11 and Windows Server releases (2008+), per vendor research and media summaries. Always consult the Microsoft Security Update Guide for exact KBs for your SKU. 

Sources

  • CrowdStrike — “Actively Exploited Zero-Day Affects Windows Cloud Files Mini Filter Driver (CVE-2023-36036)” (Nov 15, 2023).
  • Tenable — “Microsoft’s November 2023 Patch Tuesday Addresses 57 CVEs” (includes CVE-2023-36036 details, cldflt.sys, exploited). 
  • CISA — Known Exploited Vulnerabilities Catalog: CVE-2023-36036 entry. 
  • NVD — CVE-2023-36036 record (CVSS 7.8, EoP). 
  • The Record — CISA adds Microsoft CVEs incl. CVE-2023-36036; versions impacted. 
  • WIRED (Nov 2023 round-up) — notes CVE-2023-36036 as EoP fixed in Nov updates.  Ecosystem: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com | ThreatWire

Author: CyberDudeBivash • Powered by CyberDudeBivash • © 2025

#CyberDudeBivash #CyberBivash #Windows #CVE202336036 #cldflt #PrivilegeEscalation #EDR #PatchTuesday #ThreatWire

Leave a comment

Design a site like this with WordPress.com
Get started