Critical ‘MiniPlasma’ Zero-Day Vulnerability Grants SYSTEM Privileges on Fully Patched Windows Systems
A newly disclosed zero-day vulnerability, dubbed MiniPlasma, has been identified in the Windows operating system, allowing attackers to escalate privileges to SYSTEM level on fully updated systems. This critical flaw affects the cldflt.sys component, specifically within the HsmOsBlockPlaceholderAccess routine of the Windows Cloud Files Mini Filter Driver.
The vulnerability was initially reported to Microsoft in September 2020 by James Forshaw of Google Project Zero. It was believed to have been addressed in December 2020 under CVE-2020-17103. However, recent findings by security researcher Chaotic Eclipse indicate that the issue remains unpatched. Chaotic Eclipse, known for uncovering the YellowKey and GreenPlasma vulnerabilities, has released a proof-of-concept (PoC) exploit demonstrating the flaw’s potential to spawn a SYSTEM-level shell. The researcher noted that while the exploit works reliably on their machines, success rates may vary due to the race condition nature of the vulnerability.
Security expert Will Dormann confirmed the exploit’s effectiveness, stating that MiniPlasma reliably opens a command prompt with SYSTEM privileges on Windows 11 systems with the latest May 2026 updates. Dormann also observed that the exploit does not function on the latest Insider Preview Canary build of Windows 11.
This revelation underscores the persistent challenges in patch management and the importance of continuous security assessments. Users and administrators are advised to monitor official channels for updates and apply patches promptly once available.
