Windows privilege escalation via MiniPlasma zero-day in Cloud Filter driver
Summary
Hide ▲
Show ▼
A new Windows privilege escalation zero-day named MiniPlasma has been publicly disclosed, enabling attackers to escalate privileges to SYSTEM on fully patched Windows systems. The vulnerability resides in the Cloud Filter driver (cldflt.sys) and its HsmOsBlockPlaceholderAccess routine, impacting the .DEFAULT user hive registry key creation through undocumented CfAbortHydration API calls. The exploit provides SYSTEM-level command shell access, confirmed on Windows 11 Pro with May 2026 Patch Tuesday updates but non-functional in the Windows 11 Insider Preview Canary build. The flaw was originally reported to Microsoft in September 2020 as CVE-2020-17103 and allegedly patched in December 2020, yet the researcher claims the same issue remains exploitable, suggesting patch failure or rollback. Microsoft has not publicly addressed the new disclosure as of publication.
Timeline
-
18.05.2026 01:30 1 articles · 6h ago
MiniPlasma zero-day exploit for Cloud Filter driver privilege escalation disclosed
Public disclosure of MiniPlasma exploit for an unpatched Windows privilege escalation vulnerability affecting the Cloud Filter driver (cldflt.sys). The exploit achieves SYSTEM privileges via registry manipulation in the .DEFAULT user hive using undocumented CfAbortHydration API calls. PoC released by researcher Chaotic Eclipse after claims that Microsoft's 2020 patch for CVE-2020-17103 failed to fully remediate the issue. Confirmed functional on Windows 11 Pro with May 2026 updates but not in Windows 11 Insider Preview Canary builds.
Show sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30
Information Snippets
-
MiniPlasma exploit achieves SYSTEM privileges on fully patched Windows systems via a privilege escalation in the Cloud Filter driver (cldflt.sys).
First reported: 18.05.2026 01:301 source, 1 articleShow sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30
-
The vulnerability targets the HsmOsBlockPlaceholderAccess routine and abuses undocumented CfAbortHydration API calls to manipulate registry keys in the .DEFAULT user hive without proper access controls.
First reported: 18.05.2026 01:301 source, 1 articleShow sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30
-
Originally reported as CVE-2020-17103 to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and allegedly patched in December 2020.
First reported: 18.05.2026 01:301 source, 1 articleShow sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30
-
PoC exploit published by researcher "Chaotic Eclipse" on GitHub, demonstrating command shell execution with SYSTEM privileges on Windows 11 Pro with May 2026 Patch Tuesday updates.
First reported: 18.05.2026 01:301 source, 1 articleShow sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30
-
Exploit does not affect the Windows 11 Insider Preview Canary build, indicating potential changes in affected code paths.
First reported: 18.05.2026 01:301 source, 1 articleShow sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — www.bleepingcomputer.com — 18.05.2026 01:30