"After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," explains Chaotic Eclipse.
Chaotic Eclipse releases MiniPlasma proof‑of‑concept
A researcher who uses the names Chaotic Eclipse and Nightmare Eclipse published a proof‑of‑concept (PoC) exploit for a Windows local privilege escalation zero‑day dubbed "MiniPlasma." The researcher posted both source code and a compiled executable on GitHub after asserting that Microsoft failed to properly patch a vulnerability originally reported in 2020.
The released exploit is claimed to grant SYSTEM privileges on fully patched Windows systems. The researcher said the issue affects the Cloud Filter driver (cldflt.sys) and specifically its HsmOsBlockPlaceholderAccess routine.
CVE history: CVE‑2020‑17103 and the original Google Project Zero report
The flaw was originally reported to Microsoft in September 2020 by Google Project Zero researcher James Forshaw and was assigned CVE‑2020‑17103. According to the original report cited by the new disclosure, the vulnerability could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, enabling privilege escalation.
Microsoft has previously stated it fixed the issue as part of its December 2020 Patch Tuesday. Chaotic Eclipse now contends that the same issue remains exploitable in current public Windows releases and that the original Google PoC "worked without any changes."
Independent testing: BleepingComputer and Tharros confirmation
BleepingComputer tested the MiniPlasma exploit on a fully patched Windows 11 Pro system running the May 2026 Patch Tuesday updates. Using a standard user account, BleepingComputer reported that running the exploit opened a command prompt with SYSTEM privileges.
Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11. Dormann noted that the flaw did not work in the latest Windows 11 Insider Preview Canary build, indicating a difference between the public release and that Insider channel build.
How MiniPlasma works and related disclosures
The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API, mirroring the mechanism described in Forshaw's original report. The researcher argues Microsoft either never patched the issue or that a patch was "silently rolled back at some point for unknown reasons."
MiniPlasma is the latest disclosure in a recent string of Windows zero‑days published by the same researcher. The spree began in April with BlueHammer (tracked as CVE‑2026‑33825), followed by other releases including RedSun and a Windows Defender denial‑of‑service tool called UnDefend. Chaotic Eclipse also released two additional exploits this month named YellowKey and GreenPlasma. The researcher has said RedSun was silently patched by Microsoft without assignment of a CVE identifier.
YellowKey is described by the researcher as a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell giving access to unlocked drives protected by TPM‑only BitLocker configurations. UnDefend was characterized as a Windows Defender DoS tool.
What this means for technologists, enterprises, and defenders
- Technologists and security teams: Security teams that manage Windows 11 deployments should be aware a public PoC and compiled exploit exist on GitHub for a vulnerability tied to cldflt.sys and the CfAbortHydration API. Tests reported by BleepingComputer and Tharros indicate the exploit can elevate a standard user to SYSTEM on current public builds; teams will likely want to validate whether their environments are affected and monitor for Microsoft advisories.
- Enterprises and IT leaders: Organizations running Windows 11 should note the disclosure claims the issue survived a December 2020 patch. The availability of a working PoC means risk modeling and patch verification exercises should be prioritized, particularly for privileged hosts and endpoints with multi‑user access.
- Defenders and incident responders: The public release of exploit source code and a compiled binary increases the chance of in‑the‑wild misuse. Defenders should track detections for suspicious use of cldflt.sys behaviors and the creation of registry keys in the .DEFAULT hive as described in the original report.
Chaotic Eclipse framed the public disclosures as a protest of Microsoft's bug bounty and vulnerability‑handling process, alleging harsh treatment in their interactions with Microsoft and saying they made the vulnerabilities public in response. Microsoft previously told BleepingComputer it supports coordinated vulnerability disclosure and is committed to investigating reported security issues and protecting customers through updates. BleepingComputer said it contacted Microsoft about MiniPlasma and will update its story if a response is received.
For readers who want to review the original reporting and technical details, the BleepingComputer article is available here: https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/




