MiniPlasma zero-day grants SYSTEM on patched Windows
Chaotic Eclipse released a proof-of-concept for MiniPlasma, a cldflt.sys zero-day that can elevate local accounts to SYSTEM on fully patched Windows; the flaw was first reported in 2020.
Security researcher Chaotic Eclipse published a proof-of-concept for a Windows privilege-escalation zero-day called MiniPlasma. The exploit targets the Cloud Files Mini Filter Driver, cldflt.sys, and a routine named HsmOsBlockPlaceholderAccess. The PoC shows a local user can be elevated to the SYSTEM account on fully patched Windows installations.
The bug was first reported to Microsoft in September 2020 by James Forshaw of Google Project Zero. Microsoft recorded a related issue in December 2020 as CVE-2020-17103 and issued changes at that time. Chaotic Eclipse reported that further analysis found the same flaw still present in cldflt.sys.
Chaotic Eclipse adapted the original proof-of-concept to spawn a SYSTEM shell. The researcher wrote that the Google PoC ran “without any changes” and that the weaponized exploit “seems to work reliably” on their machines, while noting success rates may vary because the bug relies on a race condition.
Independent testing by security researcher Will Dormann found MiniPlasma can “reliably” open a cmd.exe prompt with SYSTEM privileges on Windows 11 installations running the May 2026 updates. Dormann added that the exploit did not appear to work on the latest Windows 11 Insider Preview Canary build.
Chaotic Eclipse and other researchers reported that multiple Windows releases are likely affected, though full coverage has not been confirmed. The vulnerability enables elevation to the SYSTEM account, which grants the highest local access on Windows and can be combined with other flaws or local access to take full control of an affected machine.
Microsoft fixed a separate privilege-escalation vulnerability in cldflt.sys in December 2025, recorded as CVE-2025-62221 with a CVSS score of 7.8; Microsoft stated that bug had been exploited by unknown actors. Chaotic Eclipse wrote they were “unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons.”
At the time of the proof-of-concept release there was no public Microsoft statement addressing MiniPlasma. With a public PoC available, researchers warn attackers could adapt the code. System administrators and users should monitor Microsoft security updates and apply any fixes to cldflt.sys when they are released.
Articles by this author
