Windows MiniPlasma zero-day proof of concept gives attackers SYSTEM access

by

A researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day called MiniPlasma that can give attackers SYSTEM access on fully patched systems, including a tested Windows 11 Pro machine with the latest May 2026 updates.

KEY FACTS

  • Exploit release Chaotic Eclipse posted source code and a compiled executable on GitHub.
  • Targeted component The flaw affects the cldflt.sys Cloud Filter driver and its HsmOsBlockPlaceholderAccess routine.
  • Prior report The issue was first reported to Microsoft in 2020 and tied to CVE-2020-17103.
  • Observed impact Will Dormann said the exploit worked in his tests on current Windows 11 builds.

The proof of concept was published after the researcher said Microsoft failed to properly fix the earlier issue. The disclosure says the same weakness reported by Google Project Zero researcher James Forshaw in 2020 remains exploitable, despite Microsoft saying it was fixed in December 2020.

The report says the exploit abuses how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. Forshaw’s original report said the flaw could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, which could lead to privilege escalation.

Microsoft has not yet responded to the latest disclosure, according to the report. The researcher also said the flaw did not work in the latest Windows 11 Insider Preview Canary build, suggesting the issue may already be addressed there.

The MiniPlasma release is part of a broader series of recent Windows zero-day disclosures from the same researcher, including BlueHammer, RedSun, UnDefend, YellowKey and GreenPlasma. The earlier issues were later seen being used in attacks, according to the report.

WHY IT MATTERS

If the flaw remains present on supported Windows releases, it could let a standard user account escalate to full system control on affected devices. That raises the risk of post-compromise takeover and makes patch status and build differences important for defenders.