Back

MiniPlasma Zero-Day Exploit Grants SYSTEM Access on Patched Windows Systems

Severity: High (Score: 69.8)

Sources: Cybernews, Pcquest, Heise.De, Bleepingcomputer, Notebookcheck

Published: 2026-05-18 · Updated: 2026-05-19

Keywords: windows, miniplasma, zero-day, attackers, system, exploit, gain

Severity indicators: zero-day, pla, [CRITICAL: Zero-day Being Exploited]

Summary

A newly discovered Windows zero-day exploit, named MiniPlasma, allows attackers to gain SYSTEM-level privileges on fully patched Windows systems. The exploit targets the cldflt.sys Cloud Filter driver, specifically the HsmOsBlockPlaceholderAccess routine, and was initially reported by Google Project Zero in September 2020 as CVE-2020-17103. Despite being supposedly patched in December 2020, the vulnerability remains exploitable, as confirmed by multiple researchers including Chaotic Eclipse. The proof-of-concept (PoC) code was released on GitHub, demonstrating that it works on Windows 11 systems with the latest updates. Security experts have noted that the exploit requires a foothold on the system, making it a local privilege escalation (LPE) issue rather than a remote exploit. The exploit's success rate may vary due to its reliance on a race condition. Microsoft has not yet responded to inquiries regarding this re-emerging vulnerability. Key Points: • MiniPlasma allows SYSTEM access on fully patched Windows systems via a known vulnerability. • The exploit targets the cldflt.sys driver, which was believed to be patched in 2020. • Researchers have confirmed the exploit's effectiveness on Windows 11, raising concerns about patch integrity.

Detailed Analysis

**Impact** The vulnerability affects fully patched Windows 10 and Windows 11 systems worldwide, including the latest May 2026 Patch Tuesday updates. It enables local attackers with standard user access to escalate privileges to SYSTEM level, potentially compromising entire endpoints. This impacts all sectors relying on Windows environments, especially enterprises using cloud sync features like OneDrive. There are no confirmed reports of widespread exploitation in the wild, but previous related exploits have been observed in targeted attacks. **Technical Details** The exploit abuses a race condition in the Windows Cloud Filter driver (cldflt.sys), specifically the HsmOsBlockPlaceholderAccess routine, allowing arbitrary registry key creation in the .DEFAULT user hive via an undocumented API (CfAbortHydration). The vulnerability is tracked as CVE-2020-17103 and was reportedly patched in December 2020, but the original proof-of-concept remains effective on current Windows builds. The exploit requires local access and is used for privilege escalation post-initial compromise. The researcher Nightmare-Eclipse released the PoC and compiled code publicly on GitHub. The exploit does not work on the latest Windows 11 Insider Preview Canary build, suggesting possible ongoing mitigations. **Recommended Response** Apply the latest Windows Insider Preview Canary builds if feasible, as they appear to include mitigations against this exploit. Monitor for unusual SYSTEM-level command prompts and suspicious registry modifications related to cloud file handling. Implement microsegmentation and endpoint detection and response (EDR) solutions to restrict lateral movement and contain compromised accounts. Maintain vigilance on patch management and await official Microsoft advisories for a confirmed fix or updated CVE.

Source articles (18)

  • New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access — Cybersecuritynews · 2026-05-18
    A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged with a public proof-of-concept exploit that allows attackers to achieve SYSTEM-level privileges on fully…
  • CVE-2020-17103 — msrc.microsoft.com · 2026-05-17
  • reported a privilege escalation flaw in cldflt.sys — project-zero.issues.chromium.org · 2026-05-18
  • Ancient Flaw Unpatched? Hacker Exposes Microsoft — www.techbook-magazine.com · 2026-05-19
  • Miniplasma Exploit Neue Windows Sicherheitsluecke Gefaehrdet Vollstaendig Gepatchte Systeme — borncity.com · 2026-05-19
  • Proof-of-Concept Exploit (PoC) on GitHub — github.com · 2026-05-19
  • MiniPlasma zero-day gives SYSTEM access on fully patched Windows 11 — Notebookcheck · 2026-05-18
    A researcher known as Chaotic Eclipse has released a working Windows privilege escalation exploit that grants SYSTEM access on fully patched Windows 11 machines, including those running the latest May…
  • Windows Still Vulnerable Despite Microsoft Patch — Uk.News.Yahoo · 2026-05-19
    A vulnerability known since 2020 as “MiniPlasma” allows attackers to gain system privileges. The exploit still works despite Microsoft’s alleged fix. Independent tests confirm the risk on fully patche…
  • MiniPlasma Zero-Day Hits Fully Patched Windows PCs — Pcquest · 2026-05-18
    An updated Windows machine should seem safer than one that doesn't have all of its patches installed. This is not so with MiniPlasma; this is a good reminder that not all patches eliminate all threats…
  • Windows 11 KB5089549 can be planted with deadly Registry hack to take over your system — Neowin · 2026-05-18
    A newly published proof-of-concept(PoC) exploit has renewed attention on a Windows vulnerability that researchers say may not have been fully resolved despite an earlier security fix from Microsoft. T…
  • Windows still vulnerable to 6-year-old critical bug — Cybernews · 2026-05-18
    A fully patched Windows system is vulnerable to a 6-year-old exploit, originally identified by Google Project Zero, an anonymous researcher has disclosed. It’s the same researcher who has been droppin…
  • Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix — Securityaffairs.Co · 2026-05-18
    MiniPlasma: a Windows SYSTEM privilege escalation believed patched in 2020 (CVE-2020-17103) is still fully working on every patched Windows 11. Once again, security researcher Chaotic Eclipse has rele…
  • 'The exact same issue that was reported to Microsoft… — Inkl · 2026-05-18
    Threat actors could escalate privileges and gain SYSTEM access on a fully patched Windows 11 device thanks to an unpatched vulnerability which allegedly should have been fixed years ago, new reports h…
  • MiniPlasma Zero-Day Hits Fully Patched Windows PCs — Pcquest · 2026-05-18
    An updated Windows machine should seem safer than one that doesn't have all of its patches installed. This is not so with MiniPlasma; this is a good reminder that not all patches eliminate all threats…
  • Windows vulnerabilities: BitLocker problem and privilege escalation — Heise.De · 2026-05-19
    The IT security researcher, who had already demonstrated the vulnerabilities “RedSun”, “UnDefend” and “BlueHammer”, is following up with further disclosures of security vulnerabilities in Windows. “Ni…
  • Windows 11 KB5089549 can be planted with deadly Registry hack to take over your system — Neowin · 2026-05-18
    A newly published proof-of-concept(PoC) exploit has renewed attention on a Windows vulnerability that researchers say may not have been fully resolved despite an earlier security fix from Microsoft. T…
  • ‘Patched’ Windows bug resurfaces 6 years later as working SYSTEM — Csoonline · 2026-05-18
    An old elevation-of-privilege (EoV) vulnerability affecting the Cloud Filter driver “cldflt.sys” in Windows has come back to haunt Microsoft, as researchers claim it is still exploitable six years aft…
  • New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — Bleepingcomputer · 2026-05-17
    A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows s…

Timeline

  • 2020-09-01 — CVE-2020-17103 reported: Google Project Zero researcher James Forshaw reported a privilege escalation vulnerability in Windows.
  • 2020-12-09 — CVE-2020-17103 published: Microsoft published the vulnerability, claiming it was patched as part of December updates.
  • 2026-04-14 — CVE-2026-33825 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-15 — MiniPlasma PoC released: Chaotic Eclipse released a proof-of-concept exploit for the MiniPlasma vulnerability on GitHub.
  • 2026-05-18 — MiniPlasma confirmed working on Windows 11: Multiple security researchers confirmed the exploit works on fully patched Windows 11 systems.

CVEs

  • CVE-2020-17103
  • CVE-2026-33825

Related entities

  • Chaotic Eclipse (Apt Group)
  • Zero-day Exploit (Attack Type)
  • Google Project Zero (Company)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • Cwe-362 - Race Condition (Cwe)
  • german.it (Domain)
  • BlueHammer (Vulnerability)
  • GreenPlasma (Vulnerability)
  • MiniPlasma (Vulnerability)
  • RedSun (Vulnerability)
  • UnDefend (Vulnerability)
  • YellowKey (Vulnerability)
  • NightmareEclipse (Vulnerability)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1112 - Modify Registry (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • BitLocker (Platform)
  • Cloud Filter Driver (Platform)
  • Windows (Platform)
  • Windows 10 (Platform)
  • Windows 11 (Platform)
  • Windows Defender (Platform)
  • Windows Recovery Environment (Platform)
  • OneDrive (Tool)
  • BitUnlocker (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed