Windows cldflt.sys privilege escalation (CVE-2020-17103)
Vulnerability
Summary
Hide ▲
Show ▼
A public MiniPlasma proof-of-concept has renewed concern around the Windows cldflt.sys Cloud Filter driver because it can elevate a standard user to SYSTEM on fully patched Windows systems. The flaw is tied to CVE-2020-17103 and the HsmOsBlockPlaceholderAccess routine, suggesting the earlier fix may not fully close the issue. The release of source code and a compiled executable makes the exploit easier to study and adapt. The issue matters because it affects current Windows builds, including a tested Windows 11 Pro host with May 2026 Patch Tuesday updates.
Related Happenings
Postcss-minify-selector-parser Windows RAT delivery chain
Malware Activity
H score29
First: 23.06.2026 18:00
Last: 23.06.2026 18:00
Sources 1
About this happening:
The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...
Postcss-minify-selector-parser Windows RAT delivery chain
Malware ActivityAbout this happening: The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
Vulnerability
H score32
First: 17.06.2026 11:32
Last: 17.06.2026 11:32
Sources 1
About this happening:
**Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
VulnerabilityAbout this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
Vulnerability
H score15
First: 20.05.2026 13:52
Last: 20.05.2026 13:52
Sources 1
About this happening:
**PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
VulnerabilityAbout this happening: **PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
H score32
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
About this happening:
**Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationAbout this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Latest development: 10.06.2026 12:57
On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.
Timeline
-
18.05.2026 01:30 2 articles · 1mo ago
MiniPlasma PoC released for cldflt.sys
Initial DisclosureChaotic Eclipse, also known as Nightmare Eclipse, released a public proof-of-concept exploit named MiniPlasma for the Windows cldflt.sys Cloud Filter driver on GitHub, publishing source code and a compiled executable while claiming the issue still enables SYSTEM privileges on fully patched Windows systems. Testing on a fully patched Windows 11 Pro system with May 2026 Patch Tuesday updates reproduced a SYSTEM command prompt, and the exploit did not work on the latest Windows 11 Insider Preview Canary build.
Show sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30