A newly disclosed Windows zero-day vulnerability called MiniPlasma is raising alarms across the cybersecurity community after researchers demonstrated that it can grant attackers SYSTEM-level privileges on fully patched Windows 11 machines. The flaw affects the Windows Cloud Files Mini Filter Driver (cldflt.sys) and appears to revive a vulnerability Microsoft was believed to have fixed years ago.
Security researcher Chaotic Eclipse, who has recently disclosed several Windows privilege escalation bugs, published a proof-of-concept (PoC) exploit showing how the vulnerability can be abused to spawn a SYSTEM shell on updated Windows systems. The issue specifically targets the HsmOsBlockPlaceholderAccess routine within the Cloud Filter driver.
According to the researcher, the bug is closely related to CVE-2020-17103, a flaw originally reported to Microsoft by Google Project Zero researcher James Forshaw in 2020. Although Microsoft previously issued a patch, current testing suggests the vulnerability remains exploitable today.
Researchers who independently tested the exploit confirmed that it works reliably on fully updated Windows 11 systems with the latest May 2026 security patches installed. However, reports indicate the exploit may no longer function on the newest Windows 11 Insider Canary builds, suggesting Microsoft could already be working on internal mitigations.
Why MiniPlasma Matters
Privilege escalation vulnerabilities are especially dangerous because they allow attackers who already have limited access to a machine to elevate their permissions to the highest possible level. Once SYSTEM access is achieved, attackers can:
- Disable security protections
- Install persistent malware
- Access sensitive files and credentials
- Move laterally across enterprise networks
- Deploy ransomware or stealth implants
Because the PoC exploit is now public, threat actors may quickly integrate the technique into malware campaigns and post-exploitation frameworks.
Part of a Larger Pattern
MiniPlasma is only the latest in a series of publicly disclosed Windows zero-days attributed to Chaotic Eclipse. Earlier disclosures included vulnerabilities dubbed:
- BlueHammer
- YellowKey
- GreenPlasma
- RedSun
- UnDefend
Several of these flaws target core Windows security mechanisms including BitLocker, Defender, and privilege management systems.
The researcher has publicly criticized Microsoft’s vulnerability handling process, claiming previous reports were mishandled or ignored. While Microsoft has not yet issued a formal public advisory specifically addressing MiniPlasma, the increasing number of disclosed privilege escalation flaws has intensified scrutiny on Windows security architecture.
Recommended Mitigation Steps
Until an official patch becomes available, organizations should consider the following defensive measures:
- Restrict local user privileges wherever possible
- Monitor for unusual SYSTEM-level process creation
- Enable advanced endpoint detection and response (EDR) telemetry
- Audit systems for suspicious Cloud Filter driver activity
- Test Insider or preview builds in controlled environments if mitigations appear present
- Prioritize behavioral detection over signature-based defenses due to public PoC availability
Security teams should also closely monitor Microsoft’s upcoming Patch Tuesday releases for potential fixes or advisories related to cldflt.sys and CVE-2020-17103.
