The Immutable Illusion: Pwning Your Kernel with Cloud Files — Elastic Security Labs

Keypoints

• New exploit variant “Redux” abuses the built-in Cloud Files capability (cldflt.sys/CfExecute) to rehydrate and overwrite files that Windows assumes are immutable, enabling kernel-level exploitation without SMB redirectors.
• Experiments show IoCreateFileEx(IO_IGNORE_SHARE_ACCESS_CHECK) and FltWriteFileEx can be used by kernel components to open or write to files that are not opened for FILE_WRITE_DATA, undermining Windows sharing and immutability assumptions.
• Differences between client and server FCB semantics (SMB) explain earlier network-based FFI exploits; Redux demonstrates the same impact can be achieved purely via Cloud Files interactions on the local system.
• Authors implemented four experiments (ExperimentOne–Four) to prove behavior: IO_IGNORE_SHARE_ACCESS_CHECK opening denied files, SEC_IMAGE protections blocking local writes, SMB/server-side bypass, and FltWriteFileEx writing to non-writable FILE_OBJECTs.
• Redux and GodFault-Redux PoCs were released; a mitigation minifilter was provided to MSRC and an Elastic Defend policy flag is available to block the technique on affected systems.
• Microsoft patched some Windows versions but chose not to patch all affected Mainstream-support builds, leaving a “forever-day” window on several fully-patched systems as of February 2026.