MiniPlasma: A 6-Year-Old Windows Zero-Day That Microsoft “Fixed” in 2020 Still Gives Attackers SYSTEM on Every Fully Patched Windows PC — Threat Brief: May 19, 2026

Sources: BleepingComputer (confirmed exploit) · The Hacker News · ThreatLocker Security Lab · Gridinsoft · CybersecurityNews · Expert in the Cloud · Will Dormann (Tharros) | Researcher: Chaotic Eclipse / Nightmare Eclipse | Driver: cldflt.sys (Cloud Files Mini Filter Driver) | Original CVE: CVE-2020-17103 | Patch status: None — Microsoft investigating | Next Patch Tuesday: June 10, 2026

Microsoft “fixed” this in 2020. It’s still there.

In September 2020, Google Project Zero researcher James Forshaw reported a privilege escalation vulnerability in the Windows Cloud Filter driver — the kernel component that handles OneDrive and cloud storage synchronization on every modern Windows installation. Microsoft assigned it CVE-2020-17103, patched it in December 2020, and closed the case. The security community moved on.

Six years later, a security researcher known as Chaotic Eclipse — or Nightmare Eclipse — picked up Forshaw’s original proof-of-concept code, ran it without modification on a fully patched Windows 11 machine running the latest May 2026 Patch Tuesday updates, and got a SYSTEM shell. The fix Microsoft shipped in 2020 either never actually landed, or was silently rolled back at some unknown point. Either way, the result is the same: every Windows system in the world is vulnerable to a publicly available, weaponized exploit that requires no administrative rights, no special conditions, and no network access to execute.

BleepingComputer independently tested the exploit on a fully patched Windows 11 Pro system and confirmed it opened a command prompt with SYSTEM privileges from a standard user account. Will Dormann, principal vulnerability analyst at Tharros, confirmed the same result on the latest public Windows 11 build. ThreatLocker’s security lab also verified successful exploitation on fully patched Windows 11. Microsoft, when asked by SecurityWeek, responded: “Microsoft is investigating this report and will take appropriate action to protect customers as soon as possible.” The next scheduled Patch Tuesday is June 10, 2026 — more than three weeks away.

The root cause: a race condition Microsoft forgot to fix

The vulnerability lives in the HsmOsBlockPlaceholderAccess routine inside cldflt.sys — the Windows Cloud Files Mini Filter Driver, a kernel component installed on every modern Windows system as part of OneDrive and Windows cloud storage infrastructure. Even if you have never used OneDrive, this driver is present and active on your machine.

The exploit abuses a race condition in how the driver handles registry key creation through an undocumented API called CfAbortHydration. Here is the technical sequence as documented by Expert in the Cloud:

1. Token toggle race condition. The exploit manipulates a race condition that toggles between the calling user’s token and an anonymous token during a specific window in the driver’s execution path. By winning the race at the right moment, the attacker can briefly execute code under the anonymous token context while maintaining elevated access.
2. RtlOpenCurrentUser manipulation. The exploit exploits how RtlOpenCurrentUser resolves the current user’s registry hive. Under the manipulated token context, “current user” resolves to the .DEFAULT hive — the default registry hive that belongs to the SYSTEM account.
3. Registry key creation without access checks. Because the original vulnerability involves a missing OBJ_FORCE_ACCESS_CHECK flag in the registry key creation call, the driver creates an arbitrary registry key in the .DEFAULT hive without performing proper security checks. This write operation completes with SYSTEM-level authority.
4. Privilege escalation to SYSTEM shell. The created registry key enables execution of attacker-controlled code with SYSTEM privileges. The public PoC weaponizes this to spawn a cmd.exe process with SYSTEM-level access — the highest privilege available on a Windows system, above even a local administrator account.

The Cloud Filter driver is architecturally integral to Windows cloud storage — it handles placeholder file access, hydration (downloading cloud-stored files on demand), and OneDrive sync operations. The fact that this driver contains an unauthenticated registry write path that resolves to the SYSTEM hive without access checks is a fundamental kernel privilege boundary violation that has apparently persisted since the 2020 patch cycle.

Who is Chaotic Eclipse — and why this is part of a pattern

MiniPlasma is not an isolated disclosure. It is the sixth Windows exploit that the researcher known as Chaotic Eclipse (also using the handle Nightmare Eclipse) has released in six weeks, all without coordinated disclosure, all without waiting for a patch, and all as an explicit protest against Microsoft’s bug bounty and vulnerability response processes. The researcher has stated publicly that they are disclosing these vulnerabilities because Microsoft left them “homeless with nothing” — a claim that has not been independently verified, but which provides context for the motivation behind the disclosure approach.

The six exploits released in this series:

• BlueHammer — Windows local privilege escalation (CVE-2026-33825). Released April 2026. Confirmed exploited in real attacks after disclosure.
• RedSun — Windows privilege escalation. Released April 2026. Microsoft silently patched without assigning a CVE. Confirmed exploited in real attacks after disclosure.
• UnDefend — Windows Defender denial-of-service tool. Released April 2026. Confirmed exploited in real attacks after disclosure.
• YellowKey — BitLocker bypass affecting Windows 11 and Windows Server 2022/2025. Spawns a command shell with access to unlocked drives protected by TPM-only BitLocker. No patch.
• GreenPlasma — Windows privilege escalation. Released May 2026. No patch.
• MiniPlasma — The current zero-day. Windows SYSTEM privilege escalation via Cloud Filter driver. Released May 13, 2026. No patch. Confirmed working on all fully patched Windows systems.

The pattern from the first three exploits in this series is critical context for assessing MiniPlasma’s risk: BlueHammer, RedSun, and UnDefend were all confirmed exploited in real-world attacks by actual threat actors after their public release. There is no reason to expect MiniPlasma to be treated differently by the attacker community. The exploit source code and a compiled executable are both publicly available on GitHub right now.

What SYSTEM access means in practice

SYSTEM is the highest privilege level available on a Windows machine — above local administrator, above domain administrator when operating locally, above any user account. A process running as SYSTEM can read and write any file on the local filesystem including SAM and SYSTEM registry hives containing password hashes, install kernel drivers without any prompt, disable or modify any security software including antivirus and EDR agents, create new user accounts with administrator privileges, dump credentials from LSASS memory, establish persistent backdoors that survive reboots, and pivot to other systems on the network using any credentials cached on the machine.

Local privilege escalation vulnerabilities are a critical component of nearly every significant Windows compromise chain. An attacker who has already achieved code execution as a standard user — through phishing, a malicious document, a vulnerable browser extension, or any other initial foothold — can use MiniPlasma to immediately elevate to full SYSTEM control. This is the step that takes a limited infection and turns it into complete machine ownership.

Gridinsoft’s analysis captured the operational context correctly: for home users and organizations, the practical signal is straightforward. If a suspicious program ran on a machine, do not judge the incident only by whether the user account was an administrator. Any code that ran — even in a standard user context — may have used MiniPlasma or a similar LPE to silently escalate to SYSTEM before or after detection.

Detection: two registry paths to watch

ThreatLocker identified the specific registry paths that MiniPlasma manipulates during execution. These are strong indicators of MiniPlasma activity and should be actively monitored:

• HKEY_USERS.DEFAULTSoftwareClassesCLSID — unexpected key creation events in this path, particularly from non-SYSTEM processes or at unusual times, are a primary MiniPlasma indicator
• HKEY_USERS.DEFAULTSoftwareClassesms-settings — write events to this path from standard user processes are anomalous and associated with the exploit chain

ThreatLocker has published Community Policy TL.REG.1747 — Mini Plasma Reg Key Created (published May 18, 2026), which detects when the MiniPlasma registry key is created. The policy maps to MITRE ATT&CK TA0004 (Privilege Escalation) and is available now in ThreatLocker Community for customers.

For Falco and open-source detection, alert on any process writing to HKEY_USERS.DEFAULTSoftwareClasses that is not running as SYSTEM or a known software installer. This write pattern from a non-privileged process context is the anomaly that identifies exploitation in progress.

Mitigations while waiting for Microsoft’s patch

There is no configuration change or feature toggle that eliminates the vulnerability — the Cloud Filter driver is a core Windows component that cannot be safely disabled on most systems. The available mitigations reduce the likelihood of successful exploitation and limit the blast radius if exploitation occurs:

1. Deploy application allowlisting. ThreatLocker confirmed that with Application Allowlisting enabled, the MiniPlasma exploit payload is automatically blocked before execution because the compiled executable is not in the authorized application list. This is the most effective single mitigation available right now — it stops the exploit at the execution layer before the driver interaction can occur. Windows Defender Application Control (WDAC) and AppLocker provide similar coverage at the OS level.
2. Monitor the two registry paths identified above. Alert on any write to HKEY_USERS.DEFAULTSoftwareClassesCLSID or HKEY_USERS.DEFAULTSoftwareClassesms-settings from non-SYSTEM processes. Use Windows Event ID 4657 (registry value modified) or Sysmon Event ID 13 (RegistryEvent) to capture these writes. ThreatLocker Community Policy TL.REG.1747 provides out-of-the-box detection.
3. Enforce least-privilege user access. While MiniPlasma works from any standard user account, reducing the population of users who have local interactive access to sensitive systems reduces the practical attack surface. On servers and privileged workstations, only administrators should have local logon rights — this does not eliminate the vulnerability but limits who can trigger it.
4. Deploy EDR with behavioral detection. Signature-based detection will not catch a newly dropped variant of MiniPlasma. Behavioral EDR solutions that detect anomalous SYSTEM-level process spawning from non-administrative parent processes, or unexpected kernel driver activity from cldflt.sys, can catch exploitation at the post-exploit stage. CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint all have behavioral rules that may fire on successful exploitation.
5. Prioritize patching all other vulnerabilities that could serve as initial footholds. MiniPlasma is a local privilege escalation — an attacker needs code execution on the machine first. Every unpatched remote code execution or phishing-delivered malware vector that could provide that initial foothold increases the effective risk of MiniPlasma. Patching Exchange Server (CVE-2026-42897), keeping browsers current, and maintaining email filtering hygiene all reduce the probability of an attacker reaching the machine in the first place.
6. Prepare your patch deployment pipeline for an out-of-band update. Given that the first three exploits in this series were confirmed exploited in attacks after disclosure, and that a weaponized executable is publicly available, Microsoft may release an out-of-band patch before June 10. Ensure your WSUS, Intune, or SCCM environment can deploy an emergency cumulative update within 24 hours of release. Do not wait for your next maintenance window.

The broader context: a researcher going rogue, Microsoft’s response problem

The MiniPlasma situation exposes a structural tension in how the vulnerability disclosure ecosystem functions — and what happens when it breaks down. Coordinated vulnerability disclosure depends on a social contract: researchers report vulnerabilities privately, vendors patch them, and researchers publish after users have had time to update. When that contract fails — through inadequate bug bounty compensation, dismissive triage, or (as in this case) apparent failure to actually ship a patch — researchers sometimes exit the process entirely and publish directly.

Chaotic Eclipse’s stated motivation — protest against Microsoft’s vulnerability response program — puts Microsoft in an uncomfortable position. The vulnerabilities are real. The exploits work. Three of the six have already been weaponized by real threat actors in real attacks. The researcher has demonstrated they will continue publishing. And Microsoft’s only official response to date has been a boilerplate “investigating” statement.

Whatever the merits of the researcher’s grievance, the operational consequence for security teams is straightforward: treat MiniPlasma as actively exploited until Microsoft patches it. The prior track record of this series makes the risk of waiting to see if exploitation materializes too high to accept. Apply the detection rules, enforce application allowlisting, and watch for the out-of-band patch.

Sources and further reading

• BleepingComputer — New Windows MiniPlasma Zero-Day Exploit Gives SYSTEM Access, PoC Released
• The Hacker News — MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
• ThreatLocker Security Lab — MiniPlasma: Windows Privilege Escalation Zero-Day Affects Fully Patched Systems
• CybersecurityNews — New Windows MiniPlasma Zero-Day Let Attackers Gain SYSTEM Access
• Gridinsoft — MiniPlasma Windows Zero-Day: Local Users Get SYSTEM Access
• Expert in the Cloud — MiniPlasma Technical Root Cause Analysis

DataWater publishes a daily cybersecurity threat brief. Article #13 — May 19, 2026. Previous: Fragnesia CVE-2026-46300 (May 18) · CVE-2026-20182 Cisco SD-WAN CVSS 10.0 (May 16) · NGINX Rift CVE-2026-42945 (May 14) · Dead.Letter CVE-2026-45185 (May 13) · Copy Fail CVE-2026-31431 (May 7).