Attacker Value
(1 user assessed)
Very High
(1 user assessed)
User Interaction
Privileges Required
Attack Vector

OneDrive DLL hijack privilege escalation

Last updated July 31, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


There exists a dll hijacking vulnerability in Onedrive versions after 20.073.

Add Assessment

Technical Analysis

EDIT: This is not a privilege escalation per se. This overwrites the dll and gains injection, but it relies on a second user with greater privileges to log in and kick off OneDrive.

This exploit was not granted a CVE, but it was patched by an automated patch rollout. Microsoft denied the CVE as the update will happen automatically (see [here]{} for more information).
The exploit is a very simple dll hijacking vulnerability in the OneDrive executable. The onedrive executable will attempt to load a specific (and often non-existant) dll if a specific config file is present.
Specifically, Onedrive will load the dll C:\Qt\Qt-5.11.1\qml\QtQuick.2.7\qtquick2plugin.dll if the file C:\Qt\Qt-5.11.1\qml\QtQuick.2.7\qmldir with the following contents:

module QtQuick 
plugin qtquick2plugin 
classname QtQuick2Plugin 
typeinfo plugins.qmltypes 

Onedrive will load this dll into its trusted process if a user interacts with OneDrive.

This exploit is already patched and has a published Defender signature, but the service does not have to be in-use or logged in for the exploit to work. In my testing, an unpatched Windows 10x64 1903 VM was vulnerable in the default configuration (apart from disabling defender).

Because this exploit is patched, automatically updated, and already has a signature for it, it will likely have a short shelf life in most locations, but it does provide an opportunity for exploitation of air-gapped or other system that does not talk to the internet.

General Information

Additional Info

Technical Analysis