A newly discovered zero-day vulnerability, dubbed MiniPlasma, has been identified in Windows systems, allowing attackers to escalate privileges to SYSTEM level on fully patched machines. This flaw resides in the Windows Cloud Files Mini Filter Driver (cldflt.sys) and specifically within the HsmOsBlockPlaceholderAccess routine.
Security researcher Chaotic Eclipse, known for uncovering the YellowKey and GreenPlasma vulnerabilities, has released a proof-of-concept (PoC) demonstrating the exploitability of MiniPlasma. The vulnerability was initially reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and was believed to have been addressed in December 2020 under CVE-2020-17103. However, recent findings suggest that the issue remains unpatched.
Chaotic Eclipse’s investigation revealed that the original PoC by Google still functions without modification, indicating that the vulnerability persists. The researcher has weaponized the PoC to spawn a SYSTEM shell, noting that while it works reliably on their machines, success rates may vary due to the race condition nature of the exploit.
Security researcher Will Dormann confirmed that MiniPlasma effectively opens a cmd.exe prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates. However, it does not appear to work on the latest Insider Preview Canary Windows 11.
In December 2025, Microsoft addressed another privilege escalation flaw in the same component (CVE-2025-62221, CVSS score: 7.8), which was exploited by unknown threat actors. The persistence of such vulnerabilities underscores the need for continuous vigilance and prompt patching in cybersecurity practices.
Users and administrators are advised to monitor official channels for updates and patches from Microsoft regarding this vulnerability. Implementing security best practices, such as limiting user privileges and monitoring system activity, can help mitigate potential exploitation risks.
The discovery of MiniPlasma highlights the ongoing challenges in maintaining system security and the importance of collaborative efforts between researchers and vendors to address vulnerabilities promptly.
