Windows MiniPlasma zero-day exploit grants full SYSTEM access, PoC out

A security researcher has released a working proof-of-concept exploit for a newly disclosed Windows zero-day vulnerability, named “MiniPlasma,” that allows attackers to achieve full SYSTEM-level access on completely up-to-date Windows systems.

The exploit, published on GitHub by the researcher known as Chaotic Eclipse (or Nightmare Eclipse), includes both source code and a compiled executable. The researcher claims Microsoft failed to properly patch a vulnerability originally reported in 2020.

The flaw resides in the ‘cldflt.sys’ Cloud Filter driver, specifically within its ‘HsmOsBlockPlaceholderAccess’ routine. This issue was first reported to Microsoft by Google Project Zero’s James Forshaw in September 2020, assigned CVE-2020-17103, and supposedly fixed in December 2020.

“After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched,” Chaotic Eclipse explained. “I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes.”

BleepingComputer tested the exploit on a fully patched Windows 11 Pro system with the latest May 2026 Patch Tuesday updates. Using a standard user account, running the exploit instantly opened a command prompt with SYSTEM privileges.

Will Dormann, principal vulnerability analyst at Tharros, confirmed the exploit works on the latest public Windows 11 build, though it does not function on the newest Windows 11 Insider Preview Canary build.

The exploit abuses how the Windows Cloud Filter driver manages registry key creation through an undocumented CfAbortHydration API. Forshaw’s original report noted the flaw could allow arbitrary registry keys to be created in the . DEFAULT user hive without proper access checks, enabling privilege escalation.

While Microsoft states the bug was fixed in December 2020, Chaotic Eclipse now demonstrates it remains exploitable. BleepingComputer has contacted Microsoft and will update this story with any response.

Update 5/18/26: ZeroTrust platform ThreatLocker advised organizations to monitor these registry keys for modifications using their EDR platform to detect exploitation: `\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps` and `\Registry\User\. DEFAULT\Volatile Environment`.

MiniPlasma is the latest in a series of Windows zero-day disclosures from this researcher over recent weeks. The spree began in April with BlueHammer (CVE-2026-33825), a local privilege escalation flaw, followed by RedSun, another privilege escalation bug, and UnDefend, a Windows Defender denial-of-service tool. All three were spotted being exploited in attacks, and the researcher claims Microsoft silently patched RedSun without a CVE.

This month, the researcher also released YellowKey and GreenPlasma. YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025, spawning a command shell that accesses unlocked drives protected by TPM-only BitLocker configurations.

Chaotic Eclipse has stated these public disclosures are a protest against Microsoft’s bug bounty and vulnerability-handling processes. “Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did,” the researcher alleged. “They mopped the floor with me and pulled every childish game they could. It was so bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.”

Microsoft previously told BleepingComputer it supports coordinated vulnerability disclosure and is committed to investigating reported security issues and protecting customers through updates.