MiniPlasma: Windows privilege escalation zero-day affects fully patched systems

MiniPlasma zero-day: What it is, how it works, and how to protect your environment

A Windows vulnerability from 2020 is back, and it works on fully patched systems.

MiniPlasma is the latest in a series of Windows zero-day exploits publicly released by a security researcher known as Chaotic Eclipse, also identified as Nightmare-Eclipse on GitHub, and it may be the most straightforward one yet.  

YellowKey and GreenPlasma required physical access or left an incomplete proof-of-concept. MiniPlasma works as a standard user and ThreatLocker has confirmed that it can elevate privileges to SYSTEM on fully patched Windows 11 systems running the latest May 2026 updates.

There is no official patch. When asked by SecurityWeek, a Microsoft spokesperson said, “Microsoft is investigating this report and will take appropriate action to protect customers as soon as possible.” The next Patch Tuesday is June 10, 2026.

What is MiniPlasma?

MiniPlasma is a local privilege escalation exploit targeting CVE-2020-17103, a vulnerability in the Windows Cloud Filter driver (cldflt.sys). The flaw was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020, assigned a CVE, and reportedly patched in December of that year.

According to Chaotic Eclipse, either the patch was never properly applied or was silently rolled back at some point. The researcher states that the original Google Project Zero proof-of-concept code worked without any modifications. MiniPlasma is a weaponized version of that same PoC, modified to spawn a SYSTEM shell rather than simply demonstrate the flaw.

The vulnerability targets the HsmOsBlockPlaceholderAccess routine within the Cloud Filter driver, the component Windows uses to support cloud-backed file handling in OneDrive and similar services. The flaw allows registry key manipulation via the undocumented CfAbortHydration API, enabling an attacker to create a key in the DEFAULT user hive without access checks. That path leads to privilege escalation and SYSTEM-level code execution.

This is not the first time this driver component has been exploited. In December 2025, Microsoft patched a separate privilege escalation flaw in the same component, CVE-2025-62221, which it confirmed was being actively exploited in the wild at the time of patching.

The exploit is a race condition, so success rate may vary. In practice, researchers at ThreatLocker confirmed the exploit works on fully patched Windows 11. Will Dormann, Principal Vulnerability Analyst at Tharros, has noted it does not appear to function on the Windows 11 Insider Preview Canary build.

Demonstration

Researchers at ThreatLocker tested the publicly released MiniPlasma exploit against a standard Windows 11 environment. The results are consistent with what the broader security community has observed: a standard user account can escalate to SYSTEM.

With ThreatLocker Application Allowlisting enabled, the exploit payload is automatically blocked before execution. The default-deny policy does not need to recognize MiniPlasma specifically because it prevents any unauthorized executable from running regardless of what the payload does or what driver it targets. The exploit cannot reach the vulnerable code path if it cannot execute.

Who is affected?

Confirmed affected versions include Windows 11 and Windows Server 2022 and 2025. Windows 10 does not appear to be affected.  

The Cloud Filter driver is present by default on most Windows 11 installations due to OneDrive integration, which means the vulnerable component is broadly deployed. Chaotic Eclipse believes all Windows versions are affected, though this has not been independently verified.

How to mitigate the MiniPlasma threat

There is no patch. The most effective mitigation is a default-deny application policy, which blocks the exploit payload at execution regardless of what it targets. Until a fix is available, the following additional steps are recommended.

Configure your EDR to monitor for modifications to the following registry paths:

\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps*

\Registry\User\.DEFAULT\Volatile Environment*

These are the two locations the exploit manipulates during execution. Alerts on writes to either path are a strong indicator of MiniPlasma activity. If a fix is released, treat it as urgent regardless of normal patch cadence. BlueHammer, RedSun, and UnDefend were all confirmed exploited in real attacks after public disclosure earlier in this series.

ThreatLocker Community policy

ThreatLocker customers can add detection coverage through the Community Policy TL.REG.1747 - Mini Plasma Reg Key Created, published May 18, 2026.  

The policy detects when the Mini Plasma registry key is created, an action associated with privilege escalation attempts via this exploit. It maps to MITRE ATT&CK TA0004 (Privilege Escalation) and is available now in ThreatLocker Community.

The pattern continues

MiniPlasma is the sixth exploit Chaotic Eclipse released in six weeks.  

BlueHammer, RedSun, and UnDefend were the first three in the series, and all were confirmed to be exploited in real attacks after public disclosure. The exploit code is publicly available on GitHub. The gap between disclosure and active weaponization is short.

The PowerShell-based exploit is straightforward to run. Microsoft has not assigned a new CVE for MiniPlasma and has not issued an emergency patch. Until that changes, default-deny policies and registry monitoring are the most effective controls.