MiniPlasma Windows zero-day in Cloud Files Mini Filter Driver enables SYSTEM privilege escalation
Summary
Hide ▲
Show ▼
A previously undisclosed privilege escalation zero-day, tracked as MiniPlasma, has been identified in the Windows Cloud Files Mini Filter Driver (cldflt.sys) affecting all supported Windows versions. The flaw resides in the HsmOsBlockPlaceholderAccess routine and can be exploited to gain SYSTEM privileges on fully patched systems. Exploitation is possible through a race condition, as demonstrated by a weaponized proof-of-concept (PoC) that spawns a SYSTEM shell. Initial testing indicates reliable exploitation on Windows 11 systems with May 2026 updates, while the latest Insider Preview Canary build appears unaffected. The issue was originally reported in September 2020 but was believed patched under CVE-2020-17103, though further analysis suggests it remains unpatched or was silently reverted.
Timeline
-
18.05.2026 07:59 1 articles · 23h ago
MiniPlasma zero-day in Windows Cloud Files Mini Filter Driver enables SYSTEM privilege escalation
A privilege escalation zero-day (MiniPlasma) has been identified in the Windows Cloud Files Mini Filter Driver (cldflt.sys), impacting all supported Windows versions. Exploitation via a race condition in the HsmOsBlockPlaceholderAccess routine grants SYSTEM privileges, as demonstrated by a functional PoC. Reliable exploitation is observed on Windows 11 with May 2026 updates, while Insider Preview Canary builds remain unaffected. The flaw was originally reported in September 2020 under CVE-2020-17103 but appears unpatched or silently rolled back.
Show sources
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — thehackernews.com — 18.05.2026 07:59
Information Snippets
-
MiniPlasma targets the Windows Cloud Files Mini Filter Driver (cldflt.sys), specifically the HsmOsBlockPlaceholderAccess routine.
First reported: 18.05.2026 07:591 source, 1 articleShow sources
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — thehackernews.com — 18.05.2026 07:59
-
The vulnerability is a privilege escalation zero-day that grants SYSTEM privileges via a race condition, as demonstrated by a functional PoC.
First reported: 18.05.2026 07:591 source, 1 articleShow sources
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — thehackernews.com — 18.05.2026 07:59
-
MiniPlasma was first reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 under CVE-2020-17103, but was later found to remain unpatched or silently rolled back.
First reported: 18.05.2026 07:591 source, 1 articleShow sources
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — thehackernews.com — 18.05.2026 07:59
-
Exploitation appears reliable on Windows 11 systems with May 2026 updates, but fails on the latest Insider Preview Canary build, suggesting potential mitigation in newer code paths.
First reported: 18.05.2026 07:591 source, 1 articleShow sources
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — thehackernews.com — 18.05.2026 07:59
-
All supported Windows versions are likely affected, raising concerns about widespread impact across enterprise environments.
First reported: 18.05.2026 07:591 source, 1 articleShow sources
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — thehackernews.com — 18.05.2026 07:59
-
Microsoft previously addressed a related privilege escalation flaw in the same component (CVE-2025-62221, CVSS 7.8) in December 2025, which was exploited by unknown threat actors.
First reported: 18.05.2026 07:591 source, 1 articleShow sources
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — thehackernews.com — 18.05.2026 07:59