New Windows ‘MiniPlasma’ zero-day exploit gives SYSTEM access, PoC released

A cybersecurity researcher has released a proof-of-concept Windows privilege escalation exploit called “MiniPlasma” that allows attackers to gain SYSTEM privileges on fully painted Windows systems.

This exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released the source code and the implemented compilation on GitHub after alleging that Microsoft failed to properly patch the previously reported vulnerability of 2020.

According to the researcher, the error affects ‘cldflt.sys‘ Cloud Filter Driver and ‘HsmOsBlockPlaceholderAccess‘ routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.

At the time, the bug was assigned the identifier CVE-2020-17103 and was reportedly fixed in December 2020.

“After investigation, it turned out that the same issue reported to Microsoft by Google’s project zero actually still exists, it just hasn’t been published,” Chaotic Eclipse explained.

“I’m not sure if Microsoft never patched the problem or if the patch was quietly rolled back at some point for unknown reasons. Google’s original PoC worked without any changes.”

BleepingComputer has tested the exploit for a fully patched Windows 11 Pro Edition running the latest May 2026 Patch Tuesday updates.

In our test, we used a standard user account, and after using the exploit, it opened a command prompt with SYSTEM privileges, as shown in the image below.

Will Dormann, chief risk analyst at Tharros, also confirmed the exploit is active in his tests on the latest public version of Windows 11. However, he said the bug does not work on the latest Windows 11 Insider Preview Canary build.

The exploit appears to abuse the way the Windows Cloud Filter driver handles registry key creation via the undocumented CfAbortHydration API. Forshaw’s original report said the flaw could allow arbitrary registry keys to be created in the .DEFAULT userspace without proper access checks, potentially enabling privilege escalation.

While Microsoft reported that it had fixed the bug as part of the December 2020 Microsoft Patch Tuesday, Chaotic Eclipse now says that the vulnerability can still be exploited.

BleepingComputer has contacted Microsoft about this additional zero day and will update this story when we hear back.

The researcher behind the latest series of Windows zero-days

MiniPlasma is the latest in a series of Windows Day leaks published by a researcher over the past few weeks.

The disclosures began in April with BlueHammer, a Windows escalation of privilege bug that was tracked as CVE-2026-33825, followed by another escalation of privilege vulnerability, RedSun, and the Windows Defender DoS tool, UnDefend.

After their disclosure, all three vulnerabilities were seen exploited in attacks. According to the researcher, Microsoft quietly closed the RedSun issue without assigning it a CVE identifier.

This month, the researcher also released two additional items called YellowKey and GreenPlasma.

YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that displays a command shell that provides access to open drives protected by BitLocker’s TPM-only configuration.

Chaotic Eclipse has previously stated that they are publicly releasing these Windows updates against Microsoft’s bug bounty and vulnerability management process.

“Normally, I would have made a plan and begged them to fix the problem but let me sum it up. I was told by them that they will ruin my life and they did that and I don’t know if I am the only one who has this problem or if there are only a few people who have faced this problem but I think most of them would just eat it and cut their losses but for me they took everything,” said the researcher.

“They messed with me and pulled all the childish games they could. It got so bad at one point I wondered if I was working with a big company or someone who was happy to see me suffer but it seems to be a collective decision.”

Microsoft previously told BleepingComputer that it supports the disclosure of cumulative vulnerabilities and is committed to investigating reported security issues and protecting customers with updates.