Windows Zero-Day 'MiniPlasma' Gives SYSTEM Access on Patched PCs
Key Takeaways
- MiniPlasma exploit grants SYSTEM privileges on fully patched Windows 11 systems
- The underlying vulnerability was reportedly fixed by Microsoft in December 2020 but remains exploitable
- This is the fourth Windows zero-day disclosure from the same researcher in recent weeks
A 2020 Fix That Wasn't
Security researcher Chaotic Eclipse (also known as Nightmare Eclipse) has published a proof-of-concept exploit called MiniPlasma that grants attackers SYSTEM-level privileges on Windows machines. The catch: Microsoft claims to have fixed this vulnerability nearly six years ago.
The exploit targets a flaw in the Windows Cloud Filter driver (cldflt.sys), specifically in a routine called HsmOsBlockPlaceholderAccess. Google Project Zero researcher James Forshaw originally reported this vulnerability to Microsoft in September 2020. Microsoft assigned it CVE-2020-17103 and released a patch in December 2020.
According to Chaotic Eclipse, that patch either never worked or was rolled back at some point. The researcher wrote that "the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched." Forshaw's original proof-of-concept from 2020 reportedly works without any modifications.
Confirmed Working on Current Windows 11
BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the May 2026 Patch Tuesday updates. Starting from a standard user account, the exploit opened a command prompt with SYSTEM privileges.
Will Dormann, principal vulnerability analyst at Tharros, independently confirmed the exploit works on the latest public version of Windows 11. He noted one exception: the flaw does not work in the Windows 11 Insider Preview Canary build, suggesting Microsoft may have addressed it in an unreleased update.
How the Exploit Works
The vulnerability abuses how the Windows Cloud Filter driver handles registry key creation through an undocumented API called CfAbortHydration. Forshaw's original report explained that the flaw allows arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks. This can be chained into full privilege escalation.
Chaotic Eclipse released both source code and a compiled executable on GitHub. BleepingComputer has contacted Microsoft for comment but has not received a response.
Fourth Zero-Day from Same Researcher
MiniPlasma is the latest in a series of Windows zero-day disclosures from Chaotic Eclipse over the past several weeks. The streak began in April with BlueHammer, a local privilege escalation flaw tracked as CVE-2026-33825. That was followed by RedSun, another privilege escalation vulnerability, and UnDefend, a denial-of-service tool targeting Windows Defender.
What Organizations Should Do
With no working patch available for the public release of Windows 11, defenders have limited options. The exploit requires local access, so standard endpoint security practices apply: restrict local user accounts, monitor for suspicious privilege escalation, and watch for execution of unknown binaries.
Organizations running the Windows Insider Preview Canary build appear to be protected, though that build is not suitable for production environments. Microsoft has not issued guidance on this specific vulnerability.
Logicity's Take
Frequently Asked Questions
What is the MiniPlasma Windows exploit?
MiniPlasma is a proof-of-concept exploit that allows attackers with local access to escalate privileges to SYSTEM level on fully patched Windows 11 systems. It targets a flaw in the Windows Cloud Filter driver (cldflt.sys).
Is MiniPlasma a new vulnerability?
No. The underlying flaw was reported to Microsoft in September 2020 by Google Project Zero and assigned CVE-2020-17103. Microsoft released a patch in December 2020, but the researcher claims that patch is ineffective.
Which Windows versions are affected by MiniPlasma?
The exploit has been confirmed working on fully patched Windows 11 Pro with May 2026 updates. It does not work on the Windows 11 Insider Preview Canary build.
How can I protect against MiniPlasma?
No public patch is currently available. Limit local user access, monitor for privilege escalation, and maintain standard endpoint security controls. The exploit requires local access to the target machine.
Who released the MiniPlasma exploit?
A security researcher using the names Chaotic Eclipse and Nightmare Eclipse published the exploit on GitHub, including source code and a compiled executable.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
اقرأ أيضاً
رأي مغاير: كيف يؤثر اختراق الأمن الداخلي الأميركي على شركاتنا الخاصة؟
في ظل اختراق عقود الأمن الداخلي الأميركي مع شركات خاصة، نناقش تأثير هذا الاختراق على مستقبل الأمن السيبراني. نستعرض الإحصاءات الموثوقة ونناقش كيف يمكن للشركات الخاصة أن تتعامل مع هذا التهديد. استمتع بقراءة هذا التحليل العميق
الإنسان في زمن ما بعد الوجود البشري: نحو نظام للتعايش بين الإنسان والروبوت - Centre for Arab Unity Studies
في هذا المقال، سنناقش كيف يمكن للبشر والروبوتات التعايش في نظام متكامل. سنستعرض التحديات والحلول المحتملة التي تضعها شركات مثل جوجل وأمازون. كما سنلقي نظرة على التوقعات المستقبلية وفقًا لتقرير ماكنزي
إطلاق ناسا لمهمة مأهولة إلى القمر: خطوة تاريخية نحو استكشاف الفضاء
تعتبر المهمة الجديدة خطوة هامة نحو استكشاف الفضاء وتطوير التكنولوجيا. سوف تشمل المهمة إرسال رواد فضاء إلى سطح القمر لconducting تجارب علمية. ستسهم هذه المهمة في تطوير فهمنا للفضاء وتحسين التكنولوجيا المستخدمة في استكشاف الفضاء.