MiniPlasma Windows Zero-Day Exploit Grants SYSTEM Access - PoC Released

A critical Windows privilege escalation zero-day exploit, dubbed "MiniPlasma," has been publicly released, enabling attackers to gain SYSTEM-level access on fully patched Windows systems. The proof-of-concept (PoC) was published by researcher Chaotic Eclipse (also known as Nightmare Eclipse) on GitHub, including both source code and a compiled executable. BleepingComputer verified the exploit's functionality on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates, successfully obtaining a command prompt with SYSTEM privileges from a standard user account. Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works on the latest public Windows 11 version, though it does not function on Windows 11 Insider Preview Canary builds.

The vulnerability resides in the Windows Cloud Filter driver (cldflt.sys), specifically in the HsmOsBlockPlaceholderAccess routine. This flaw was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and assigned CVE-2020-17103, with Microsoft claiming it was fixed during December 2020 Patch Tuesday. However, Chaotic Eclipse asserts that the exact same vulnerability remains unpatched and exploitable. "After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," the researcher explained. "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes."

The exploit leverages an undocumented CfAbortHydration API to abuse how the Windows Cloud Filter driver handles registry key creation, potentially allowing arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks. BleepingComputer contacted Microsoft regarding this additional zero-day but had not received a response at publication time. This disclosure marks the latest in a series of Windows zero-day releases by Chaotic Eclipse, following BlueHammer (CVE-2026-33825), RedSun, and UnDefend, all disclosed within recent weeks. Users concerned about potential exposure can verify their system's security posture using a port scanner to identify exposed services, perform a password checker to ensure strong credential hygiene, and conduct a comprehensive privacy checkup to minimize attack surfaces.