Skip to main content
Emerging ThreatsMalware & Ransomware

Zero-Day Exploit Escalates Privileges on Patched Windows Systems

Cluttered workspace with laptop showing abstract system interface on screen.

"I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons." — Chaotic Eclipse

The bug: MiniPlasma hits cldflt.sys at HsmOsBlockPlaceholderAccess

Security researcher Chaotic Eclipse has published a proof-of-concept for a privilege-escalation zero-day that the researcher calls MiniPlasma. According to the disclosure, the flaw resides in cldflt.sys, the Windows Cloud Files Mini Filter Driver, in a routine named HsmOsBlockPlaceholderAccess. The PoC, the researcher says, can be weaponized to elevate an attacker to LOCAL SYSTEM privileges on fully patched Windows systems.

Origins and the long trail back to September 2020

MiniPlasma is not newly discovered in the sense of being unknown to vendors: the condition was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Microsoft issued a patch in December 2020 as part of CVE-2020-17103, and the flaw was widely assumed to have been remediated at that time. Chaotic Eclipse states that further analysis shows "the exact same issue [...] is actually still present, unpatched," and that the original PoC by Google "worked without any changes."

Proof-of-concept, race condition, and observed reliability

Chaotic Eclipse says they modified the original PoC to spawn a SYSTEM shell in order to demonstrate the impact. The researcher reports it "seems to work reliably" on their machines but cautioned that success "may vary since it's a race condition." Independent comment from security researcher Will Dormann, posted on Mastodon and cited in the disclosure, said MiniPlasma works "reliably" to open a cmd.exe prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates. Dormann added that the PoC "does not seem to work on the latest Insider Preview Canary Windows 11."

Context: another fix in the same component and prior exploitation

The public record shows Microsoft addressed a different privilege-escalation vulnerability in the same component in December 2025, tracked as CVE-2025-62221 and assigned a CVSS score of 7.8. Microsoft identified that issue as exploited by unknown threat actors. Chaotic Eclipse’s disclosure links MiniPlasma to the same cloud-files mini-filter component, underlining that the component has been the subject of multiple vulnerability reports and at least one acknowledged exploitation in the wild.

What this means for technologists, enterprises, and adversaries

  • Technologists and security teams: A working PoC that spawns a SYSTEM shell on fully patched systems demands attention; Chaotic Eclipse and Will Dormann report reliable elevation on some Windows 11 builds, and the underlying condition is described as a race—factors that affect detection and mitigation approaches.
  • Enterprises and procurement leaders: The researcher notes that "all Windows versions are likely affected," and the presence of prior fixes and acknowledged exploitation in the same component (CVE-2025-62221) suggests organizations should review telemetry and patching around cloud-files mini-filter behavior and privilege-escalation indicators.
  • Adversaries and threat actors: The disclosure follows a December 2025 incident in which a different bug in the same component was identified as exploited by unknown threat actors; the publication of a weaponized PoC for MiniPlasma creates a documented technique that could be studied or repurposed.

Chaotic Eclipse's posting leaves two clear imprints on the record: a PoC that claims to elevate to SYSTEM privileges on fully patched machines, and an assertion that a condition believed fixed in 2020 remains present. Will Dormann’s independent testing reinforces that the PoC can work on current Windows 11 updates as of May 2026, while noting non-reproducibility on an Insider Preview Canary build. The disclosure dovetails with Microsoft’s prior December 2025 remediation of another cldflt.sys issue that was associated with active exploitation.

Taken together, the public facts show a re-emergence of privilege-escalation risk centered on the Windows Cloud Files Mini Filter Driver and a working proof-of-concept available outside vendor channels. The disclosure raises a narrow but concrete question: will the vendor reassess the original CVE-2020-17103 remediation and the current state of cldflt.sys in light of a weaponized PoC that researchers report can produce SYSTEM shells on recent Windows builds?

Original story: MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — The Hacker News