MiniPlasma Windows 0-Day Elevates Privileges to SYSTEM on Patched Systems

A security researcher known as Chaotic Eclipse has released a proof-of-concept (PoC) exploit for a previously undisclosed Windows zero-day vulnerability that can elevate privileges to SYSTEM on fully patched systems. The flaw, dubbed MiniPlasma, targets the Windows Cloud Files Mini Filter Driver, specifically the “cldflt.sys” file and a routine called “HsmOsBlockPlaceholderAccess.”

Originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020, this vulnerability was thought to have been resolved with the December 2020 patch for CVE-2020-17103. However, Chaotic Eclipse now claims the issue remains active. “Further investigation has uncovered that the exact same issue is actually still present, unpatched,” the researcher stated. They expressed uncertainty about whether Microsoft simply never fixed the flaw or if the patch was silently rolled back. “The original PoC by Google worked without any changes,” they added.

To demonstrate the severity, Chaotic Eclipse weaponized the original PoC to spawn a SYSTEM shell. The exploit relies on a race condition, so reliability varies across systems. The researcher noted that all Windows versions are likely affected by this vulnerability.

Independent security expert Will Dormann confirmed the exploit’s effectiveness on Mastodon. He reported that MiniPlasma works “reliably” to open a “cmd.exe” prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates. However, he noted it does not appear to function on the latest Insider Preview Canary build of Windows 11.

This disclosure follows Microsoft’s December 2025 patch for another privilege escalation flaw in the same component, tracked as CVE-2025-62221 with a CVSS score of 7.8. That vulnerability was confirmed to have been exploited by unknown threat actors. The persistence of MiniPlasma raises serious questions about the thoroughness of Microsoft’s patching process for this driver.