Critical ‘MiniPlasma’ Zero-Day Exploit Grants SYSTEM Access on Fully Patched Windows Systems
A newly disclosed zero-day vulnerability, dubbed MiniPlasma, poses a significant security risk to Windows users by allowing attackers to escalate privileges and gain SYSTEM-level access on fully updated systems. Security researcher Nightmare-Eclipse released a proof-of-concept (PoC) exploit on GitHub on May 13, 2026, highlighting that a flaw initially reported six years ago remains unpatched.
Background of the Vulnerability
The MiniPlasma exploit targets the `cldflt.sys` Cloud Filter driver, specifically its `HsmOsBlockPlaceholderAccess` routine. This vulnerability was first identified and reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Microsoft assigned it the identifier CVE-2020-17103 and claimed to have addressed the issue in December 2020 as part of their Patch Tuesday updates.
However, recent findings by Nightmare-Eclipse indicate that the vulnerability persists. The researcher discovered that the same issue documented in Forshaw’s original report remains exploitable without any modifications to the original proof-of-concept code. This suggests that Microsoft’s previous patch was either ineffective or has been silently rolled back.
Technical Details of the Exploit
The vulnerability allows unprivileged users to create arbitrary registry keys within the `.DEFAULT` user hive without proper access checks. The flaw lies in how the `HsmOsBlockPlaceholderAccess` function handles registry key creation, failing to specify the `OBJ_FORCE_ACCESS_CHECK` flag. This oversight enables attackers to bypass normal access restrictions and write keys to the `.DEFAULT` user hive, even though standard users typically lack such permissions.
The exploit leverages a race condition that toggles between user and anonymous tokens to manipulate the `RtlOpenCurrentUser` function in the kernel. When the race condition succeeds, the system opens the `.DEFAULT` hive for writing while the thread impersonation is reverted, allowing unauthorized key creation.
Nightmare-Eclipse’s proof-of-concept demonstrates reliable exploitation on multi-core systems by spawning a SYSTEM shell after successfully winning the race condition. Testing confirmed that running the exploit from a standard user account successfully opens a command prompt with SYSTEM privileges, granting attackers complete control over the compromised machine.
Implications and Affected Systems
The vulnerability affects all Windows versions, making it a significant threat to enterprise environments, workstations, and cloud-synchronized systems. The Cloud Filter driver component is integral to Windows cloud storage synchronization services like OneDrive, meaning the vulnerable code runs on a broad range of Windows installations.
The public availability of working exploit code significantly increases the risk of exploitation. Organizations should monitor Microsoft’s security response and prepare to deploy patches as soon as they become available.
Recommendations for Mitigation
While awaiting an official patch from Microsoft, organizations and individual users can take the following steps to mitigate the risk:
1. Limit User Privileges: Ensure that users operate with the least privileges necessary for their tasks. Restricting administrative rights can reduce the potential impact of an exploit.
2. Monitor System Activity: Implement monitoring solutions to detect unusual activities, such as unexpected registry modifications or the execution of unauthorized processes.
3. Apply Security Updates Promptly: Stay informed about security updates from Microsoft and apply them as soon as they are released.
4. Educate Users: Train users to recognize phishing attempts and other common attack vectors that could be used to deliver exploits.
Conclusion
The disclosure of the MiniPlasma zero-day exploit underscores the importance of vigilant cybersecurity practices and the need for timely patching of vulnerabilities. Organizations must remain proactive in monitoring for threats and implementing security measures to protect their systems from potential exploitation.
