MiniPlasma zero-day lets local user gain SYSTEM on Windows

Security researcher Chaotic Eclipse published a proof-of-concept (PoC) for a local privilege escalation vulnerability named MiniPlasma that targets the Windows Cloud Files Mini Filter Driver (cldflt.sys). The exploit can elevate a process to SYSTEM on fully patched Windows machines.

The bug is in a routine called HsmOsBlockPlaceholderAccess. The flaw was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and was tracked as CVE-2020-17103 after a December 2020 update. Chaotic Eclipse reported that further analysis showed the “exact same issue” remains present and that the original PoC “worked without any changes.” The researcher modified the PoC to spawn a SYSTEM shell and noted the exploit relies on a race condition, so “success rate may vary.” Chaotic Eclipse wrote they were unsure whether the original fix was never implemented or if a patch was later rolled back.

Security researcher Will Dormann posted on Mastodon that MiniPlasma works “reliably” to launch a cmd.exe prompt with SYSTEM privileges on Windows 11 systems running the May 2026 updates. Dormann added the exploit did not appear to work on the latest Insider Preview Canary build he tested.

The Cloud Files Mini Filter Driver handles placeholder file operations used by cloud file synchronization features. Microsoft addressed a separate privilege escalation in the same component in December 2025, tracked as CVE-2025-62221, which the company said had been exploited by unknown actors.

When the PoC succeeds, it raises a local process to the SYSTEM account, which has the highest privileges on Windows. Chaotic Eclipse indicated that all Windows versions are likely affected given the component and routine involved, and that the race-condition nature of the bug means reliability can vary by system and configuration.

Chaotic Eclipse released the weaponized PoC publicly after confirming the original exploit still worked. The public release means administrators and security teams should review systems that use cloud placeholders and monitor for any official updates or guidance from Microsoft.

Microsoft has not provided a public statement attached to Chaotic Eclipse’s disclosure. The researcher’s posts and the available PoC contain technical details that may enable defensive checks and hunting for related activity while a vendor response is pending.