top of page

MiniPlasma Windows 0-Day: SYSTEM Privilege Escalation on Fully Patched Systems

  • May 18
  • 2 min read

Key Findings


  • Chaotic Eclipse released a proof-of-concept exploit for MiniPlasma, a Windows privilege escalation zero-day that grants SYSTEM privileges on fully patched systems

  • The vulnerability exists in cldflt.sys (Windows Cloud Files Mini Filter Driver) within the HsmOsBlockPlaceholderAccess routine

  • Originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and assigned CVE-2020-17103, the flaw was supposedly patched in December 2020 but remains unpatched

  • Testing confirms the exploit works reliably on Windows 11 systems with the latest May 2026 updates, though it does not work on the newest Insider Preview Canary build

  • All Windows versions appear to be affected by this vulnerability


Background


Chaotic Eclipse, the security researcher responsible for recently disclosed Windows flaws YellowKey and GreenPlasma, has been releasing a string of Windows zero-day exploits since April. This disclosure spree began with BlueHammer (CVE-2026-33825), followed by RedSun targeting Microsoft Defender, and the DoS tool UnDefend. Following their release, these vulnerabilities were spotted being actively exploited in real attacks. Microsoft reportedly silently patched RedSun without assigning a CVE identifier, adding to concerns about the company's patching transparency.


The MiniPlasma Vulnerability


MiniPlasma abuses how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. The original vulnerability allowed arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, enabling privilege escalation from a standard user account to SYSTEM level. The flaw resides specifically in the HsmOsBlockPlaceholderAccess routine within cldflt.sys.


Patch Status and Researcher Claims


Chaotic Eclipse asserts that Microsoft either never properly patched the issue or silently rolled back the patch at some point. The researcher noted that the original proof-of-concept code from Google Project Zero worked without any modifications when weaponized to spawn a SYSTEM shell. While the exploit operates as a race condition with potentially variable success rates, independent testing has confirmed its reliability on current Windows 11 builds.


Verification and Testing Results


BleepingComputer successfully tested the exploit on a fully patched Windows 11 Pro system running the May 2026 Patch Tuesday updates, opening a command prompt with SYSTEM privileges from a standard user account. Security researcher Will Dormann independently confirmed the exploit works reliably on the latest public Windows 11 version. However, both testers noted that the exploit does not function on the latest Windows 11 Insider Preview Canary build, suggesting Microsoft may have implemented fixes in development versions.


Related Microsoft Vulnerabilities


In December 2025, Microsoft addressed another privilege escalation flaw in the same cldflt.sys component, assigned CVE-2025-62221 with a CVSS score of 7.8. This vulnerability was identified as being actively exploited by unknown threat actors, indicating that attackers have been actively targeting the Windows Cloud Filter driver.


Sources


  • https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html

  • https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/

  • https://x.com/TheHackersNews/status/2056238726511317044

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page