New ‘MiniPlasma’ Windows Zero-Day Exploit Grants SYSTEM Access on Fully Patched Systems
Security researchers warn that a newly released proof-of-concept exploit can elevate standard user access to full SYSTEM privileges on updated Windows machines.
MiniPlasma Raises Fresh Concerns for Windows Security
A new Windows privilege escalation zero-day called “MiniPlasma” is creating serious concern for enterprise defenders. Security researcher Chaotic Eclipse, also known as Nightmare Eclipse, has released a proof-of-concept exploit that reportedly grants SYSTEM-level access on fully patched Windows systems.
The exploit targets the Windows Cloud Filter driver, specifically the cldflt.sys component and its HsmOsBlockPlaceholderAccess routine. According to the researcher, this is the same flaw originally reported by Google Project Zero researcher James Forshaw in 2020.
At that time, Microsoft assigned the issue CVE-2020-17103 and stated that it was fixed during the December 2020 Patch Tuesday release. However, the researcher now claims the exact same vulnerability still exists and remains exploitable.
Exploit Successfully Tested on Latest Windows 11
The proof-of-concept was published on GitHub along with both source code and a compiled executable. Tests showed that the exploit works on fully patched Windows 11 Pro systems, including devices updated with the latest May 2026 Patch Tuesday fixes.
In testing, a standard user account was able to launch a command prompt with full SYSTEM privileges after running the exploit. This confirms that attackers could potentially bypass normal privilege boundaries and gain complete control of affected systems.
Security analyst Will Dormann also confirmed the exploit worked on the latest public version of Windows 11. However, he noted that the flaw does not appear to work in the latest Windows 11 Insider Preview Canary build, which may suggest Microsoft is addressing the issue silently.
How the Vulnerability Works
The exploit appears to abuse how the Cloud Filter driver handles registry key creation using an undocumented API known as CfAbortHydration.
Forshaw’s original findings explained that the flaw could allow attackers to create arbitrary registry keys inside the .DEFAULT user hive without proper access checks. As a result, attackers could use this behavior to escalate privileges and gain SYSTEM access.
This kind of flaw is especially dangerous because it allows local attackers to move quickly from limited access to full administrative control.
Part of a Larger Zero-Day Disclosure Trend
MiniPlasma is not the first Windows zero-day released by Chaotic Eclipse in recent weeks. The researcher previously disclosed several other exploits, including BlueHammer, RedSun, YellowKey, GreenPlasma, and UnDefend.
BlueHammer was tracked as CVE-2026-33825 and involved local privilege escalation. YellowKey targeted BitLocker and allowed access to unlocked drives protected by TPM-only configurations. Other disclosures included Windows Defender denial-of-service tools and additional escalation vulnerabilities.
Some of these flaws were later observed being used in real-world attacks. This increases concern around public exploit releases and the speed at which threat actors can weaponize them.
Why Security Teams Should Pay Attention
Privilege escalation flaws remain one of the most dangerous threats inside enterprise environments. Even when attackers start with limited access, vulnerabilities like MiniPlasma can help them gain full system control, disable defenses, and move laterally across the network.
Security teams should closely monitor Microsoft advisories, restrict unnecessary local access, and strengthen endpoint detection for unusual privilege escalation activity.
This case also highlights a larger issue in vulnerability disclosure. Public disagreements between researchers and vendors can sometimes lead to faster public releases, increasing risk for defenders.
For CISOs and security leaders, the lesson is clear: patching alone is not enough. Continuous monitoring, strong access controls, and proactive threat intelligence remain critical for cyber resilience.