MiniPlasma Windows 0-Day: SYSTEM Privilege Escalation on Fully Patched Systems
- May 18
- 2 min read
Key Findings
Chaotic Eclipse released a proof-of-concept exploit for MiniPlasma, a Windows privilege escalation zero-day that grants SYSTEM privileges on fully patched systems
The vulnerability exists in cldflt.sys (Windows Cloud Files Mini Filter Driver) within the HsmOsBlockPlaceholderAccess routine
Originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and assigned CVE-2020-17103, the flaw was supposedly patched in December 2020 but remains unpatched
Testing confirms the exploit works reliably on Windows 11 systems with the latest May 2026 updates, though it does not work on the newest Insider Preview Canary build
All Windows versions appear to be affected by this vulnerability
Background
Chaotic Eclipse, the security researcher responsible for recently disclosed Windows flaws YellowKey and GreenPlasma, has been releasing a string of Windows zero-day exploits since April. This disclosure spree began with BlueHammer (CVE-2026-33825), followed by RedSun targeting Microsoft Defender, and the DoS tool UnDefend. Following their release, these vulnerabilities were spotted being actively exploited in real attacks. Microsoft reportedly silently patched RedSun without assigning a CVE identifier, adding to concerns about the company's patching transparency.
The MiniPlasma Vulnerability
MiniPlasma abuses how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. The original vulnerability allowed arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, enabling privilege escalation from a standard user account to SYSTEM level. The flaw resides specifically in the HsmOsBlockPlaceholderAccess routine within cldflt.sys.
Patch Status and Researcher Claims
Chaotic Eclipse asserts that Microsoft either never properly patched the issue or silently rolled back the patch at some point. The researcher noted that the original proof-of-concept code from Google Project Zero worked without any modifications when weaponized to spawn a SYSTEM shell. While the exploit operates as a race condition with potentially variable success rates, independent testing has confirmed its reliability on current Windows 11 builds.
Verification and Testing Results
BleepingComputer successfully tested the exploit on a fully patched Windows 11 Pro system running the May 2026 Patch Tuesday updates, opening a command prompt with SYSTEM privileges from a standard user account. Security researcher Will Dormann independently confirmed the exploit works reliably on the latest public Windows 11 version. However, both testers noted that the exploit does not function on the latest Windows 11 Insider Preview Canary build, suggesting Microsoft may have implemented fixes in development versions.
Related Microsoft Vulnerabilities
In December 2025, Microsoft addressed another privilege escalation flaw in the same cldflt.sys component, assigned CVE-2025-62221 with a CVSS score of 7.8. This vulnerability was identified as being actively exploited by unknown threat actors, indicating that attackers have been actively targeting the Windows Cloud Filter driver.
Sources
https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html
https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/
https://x.com/TheHackersNews/status/2056238726511317044

Comments