New Windows 'MiniPlasma' Zero-Day Exploit Gives SYSTEM Access, PoC Released

The MiniPlasma vulnerability underscores a persistent weakness in Windows’ Cloud Filter driver, a component that mediates file‑system operations for cloud‑based services. Although Microsoft announced a fix for CVE‑2020‑17103 in December 2020, the recent proof‑of‑concept demonstrates that the underlying code path—specifically the HsmOsBlockPlaceholderAccess routine—remains exploitable. By leveraging an undocumented CfAbortHydration API, attackers can create arbitrary registry keys in the *.DEFAULT* hive, effectively bypassing access checks and elevating a standard user to SYSTEM. This technical nuance highlights how legacy driver code can linger unnoticed even after official patches, creating a hidden attack surface for sophisticated threat actors.

For enterprise security teams, MiniPlasma presents an immediate operational challenge. The exploit works on machines that have applied all May 2026 updates, meaning conventional patch‑management tools may give a false sense of safety. Organizations must therefore augment their defenses with behavior‑based detection, monitoring for anomalous registry modifications and unexpected command‑prompt launches under SYSTEM. Incident response playbooks should incorporate rapid containment steps for privilege‑escalation attempts, and vulnerability‑management processes need to verify the integrity of the cldflt.sys driver across the fleet. The fact that the bug does not affect the latest Insider Canary build suggests Microsoft may have introduced a silent rollback or an undocumented mitigation, but until an official advisory is issued, risk remains high.

MiniPlasma is the latest in a series of disclosures by Chaotic Eclipse, who has also published BlueHammer, RedSun, YellowKey, and GreenPlasma exploits. This pattern reflects growing frustration among independent researchers with Microsoft’s bug‑bounty and disclosure policies, and it signals a potential shift toward more public releases of critical flaws. Companies should anticipate a higher frequency of such zero‑days and consider engaging directly with the security community through coordinated disclosure programs. Strengthening these channels can reduce the incentive for public releases, improve patch timelines, and ultimately protect the broader Windows ecosystem from systemic privilege‑escalation threats.