A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems.
The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that
Microsoft failed to properly patch a previously reported 2020 vulnerability.
According to the researcher, the flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020.
"After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," explains Chaotic Eclipse. "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes."
BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates. In the test, a standard user account was used, and after running the exploit, it opened a command prompt with SYSTEM privileges.
Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11. However, he said that the flaw does not work in the latest Windows 11 Insider Preview Canary build.
The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. Forshaw's original report said that the flaw could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, potentially enabling privilege escalation.
While Microsoft reports having fixed the bug as part of its December 2020 Microsoft Patch Tuesday, Chaotic Eclipse now claims the vulnerability can still be exploited. BleepingComputer contacted Microsoft about this additional zero-day and will update this story if a response is received.
MiniPlasma is the latest in a string of Windows zero-day disclosures published by the researcher over the past several weeks. The disclosure spree began in April with BlueHammer, a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun, and a Windows
Defender DoS tool, UnDefend. After their disclosure, all three vulnerabilities were spotted being exploited in attacks. According to the researcher, Microsoft silently patched the RedSun issue without assigning it a CVE identifier.
This month, the researcher also released two additional exploits named YellowKey and GreenPlasma. YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.
Chaotic Eclipse has previously stated that they are publicly disclosing these Windows zero-days in protest of Microsoft's bug bounty and vulnerability-handling process. "Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything," alleged the researcher.
Expert Take: Cloud administrators should test the publicly available MiniPlasma PoC in isolated lab environments and monitor Cloud Filter driver activity for signs of registry abuse in the DEFAULT hive until Microsoft provides an official patch.
