MiniPlasma: A 6-Year-Old Windows Zero-Day That Microsoft “Fixed” in 2020 Still Gives Attackers SYSTEM on Every Fully Patched Windows PC — Threat Brief: May 19, 2026
Sources: BleepingComputer (confirmed exploit) · The Hacker News · ThreatLocker Security Lab · Gridinsoft · CybersecurityNews · Expert in the Cloud · Will Dormann (Tharros) | Researcher: Chaotic Eclipse / Nightmare Eclipse | Driver: cldflt.sys (Cloud Files Mini Filter Driver) | Patch status: None — Microsoft investigating | Next Patch Tuesday: June 10, 2026
Microsoft “fixed” this in 2020. It’s still there.
In September 2020, Google Project Zero researcher James Forshaw reported a privilege escalation vulnerability in the Windows Cloud Filter driver. Microsoft patched it in December 2020 as CVE-2020-17103 and closed the case. Six years later, a security researcher known as Chaotic Eclipse ran Forshaw’s original proof-of-concept code on a fully patched Windows 11 machine running the latest May 2026 Patch Tuesday updates — and got a SYSTEM shell. The fix Microsoft shipped in 2020 either never landed, or was silently rolled back at some unknown point.
BleepingComputer independently tested and confirmed the exploit. Will Dormann (Tharros) confirmed the same result on the latest Windows 11 build. ThreatLocker’s security lab verified successful exploitation. Microsoft responded: “Microsoft is investigating this report.” The next scheduled Patch Tuesday is June 10, 2026. This is one of three active unpatched vulnerabilities DataWater is currently tracking — alongside the CVE-2026-42897 Exchange OWA zero-day (no permanent patch) and CVE-2026-0257 Palo Alto PAN-OS (CISA KEV, June 19 deadline). The Verizon DBIR 2026 found that only 26% of CISA KEV flaws were fully remediated last year — the baseline against which MiniPlasma’s risk must be assessed.
| Field | Detail |
|---|---|
| Exploit name | MiniPlasma |
| Researcher | Chaotic Eclipse / Nightmare Eclipse |
| Published | May 13, 2026 — GitHub (source code + compiled executable) |
| Original CVE | CVE-2020-17103 — reported by James Forshaw (Google Project Zero), September 2020 |
| Vulnerable component | cldflt.sys — Windows Cloud Files Mini Filter Driver |
| Privilege gained | SYSTEM — highest Windows privilege level |
| Access required | Standard local user — no admin, no special rights |
| Network access required | No — local privilege escalation only |
| Affected systems | All modern Windows versions — confirmed on Windows 11 24H2 with May 2026 updates |
| Patch available | No — Microsoft investigating. Next Patch Tuesday: June 10, 2026 |
| Prior exploits in this series exploited in the wild | Yes — BlueHammer, RedSun, and UnDefend all confirmed used in real attacks |
The root cause: a race condition Microsoft forgot to fix
The vulnerability lives in the HsmOsBlockPlaceholderAccess routine inside cldflt.sys — the Windows Cloud Files Mini Filter Driver, present on every modern Windows system as part of OneDrive and cloud storage infrastructure. Even if you have never used OneDrive, this driver is installed and active.
The exploit abuses a race condition in how the driver handles registry key creation through an undocumented API called CfAbortHydration. The race toggles between the calling user’s token and an anonymous token. By winning the race at the right moment, the attacker briefly executes code under the anonymous token context — causing RtlOpenCurrentUser to resolve “current user” as the .DEFAULT hive (the SYSTEM account’s registry hive). Because a missing OBJ_FORCE_ACCESS_CHECK flag is absent from the registry key creation call, the driver creates an arbitrary registry key in the .DEFAULT hive without proper security checks. The created key enables execution of attacker-controlled code with SYSTEM privileges.
Who is Chaotic Eclipse — and the pattern that makes this urgent
MiniPlasma is the sixth exploit dropped by Chaotic Eclipse in six weeks, all without coordinated disclosure, all as an explicit protest against Microsoft’s bug bounty program. The critical context: BlueHammer, RedSun, and UnDefend — the first three exploits in this series — were all confirmed exploited in real-world attacks after public release. The track record of this series means “confirmed in the wild” is not an if, it is a when — likely measured in days from this writing.
This pattern of uncoordinated disclosure of Windows LPEs is especially dangerous when combined with a campaign like the CISA Nx Console supply chain breach — where developer machines were compromised and credentials stolen. An attacker who used that campaign to achieve code execution as a standard user on a developer’s Windows machine now has MiniPlasma as an immediate path to SYSTEM. The combination of initial access via supply chain attack and local privilege escalation to SYSTEM is a standard ransomware deployment chain.
What SYSTEM access means operationally
SYSTEM is the highest privilege level on a Windows machine. A process running as SYSTEM can: read any file including SAM and SYSTEM registry hives containing password hashes, install kernel drivers without prompts, disable or modify any security software including EDR and antivirus agents, create new administrator accounts, dump credentials from LSASS memory, establish persistent backdoors, and pivot to other network systems using cached credentials. Local privilege escalation vulnerabilities are a critical component of nearly every significant Windows compromise chain — the step that takes a limited foothold and converts it into complete machine ownership, enabling the ransomware deployment the DBIR 2026 now puts at 44% of all breaches.
Detection: two registry paths to watch now
HKEY_USERS\.DEFAULT\Software\Classes\CLSID\— unexpected key creation from non-SYSTEM processes is a primary MiniPlasma indicatorHKEY_USERS\.DEFAULT\Software\Classes\ms-settings\— write events from standard user processes are anomalous and associated with the exploit chain
ThreatLocker Community Policy TL.REG.1747 — Mini Plasma Reg Key Created (published May 18, 2026) detects when the MiniPlasma registry key is created. MITRE ATT&CK TA0004 (Privilege Escalation). Available now in ThreatLocker Community for customers.
Mitigations while waiting for the June 10 patch
- Deploy application allowlisting. ThreatLocker confirmed that with Application Allowlisting enabled, the MiniPlasma exploit payload is blocked before execution. Windows Defender Application Control (WDAC) and AppLocker provide similar coverage. This is the most effective available mitigation.
- Monitor the two registry paths above. Use Windows Event ID 4657 or Sysmon Event ID 13 to capture writes to
HKEY_USERS\.DEFAULT\Software\Classes\from non-SYSTEM processes. - Enforce least-privilege user access on sensitive systems — servers, privileged workstations. Only administrators should have local interactive logon rights.
- Deploy behavioral EDR. Alert on SYSTEM-level process spawning from non-administrative parent processes or unexpected kernel driver activity from cldflt.sys.
- Patch all other initial-access vectors immediately — MiniPlasma requires local code execution first. Patching Exchange Server CVE-2026-42897, keeping browsers current, and maintaining email filtering reduces the probability of an attacker reaching a machine to run MiniPlasma.
- Prepare for an out-of-band patch. Given three prior exploits in this series were confirmed used in real attacks, Microsoft may release an emergency cumulative update before June 10. Ensure WSUS, Intune, or SCCM can deploy within 24 hours of release.
Related DataWater coverage
- 🔴 CVE-2026-42897: Microsoft Exchange OWA Zero-Day — the other active Microsoft zero-day. Active exploitation. No permanent patch. CISA KEV deadline May 29.
- 🔴 Fragnesia (CVE-2026-46300): Linux Kernel LPE — same exploit class (no race condition, public PoC, container escape) on Linux. Third root exploit in two weeks.
- 🔴 Copy Fail (CVE-2026-31431): Linux LPE, CISA KEV — 732 bytes of Python giving root. The Linux counterpart to MiniPlasma’s Windows threat.
- 🔴 CISA: Nx Console / GitHub Supply Chain — supply chain attacks deliver initial access that LPEs like MiniPlasma then escalate to SYSTEM.
- 📊 Verizon DBIR 2026 — 44% of breaches now include ransomware. LPEs like MiniPlasma are the bridge between initial access and ransomware deployment.
- 🔴 CVE-2026-0257: Palo Alto PAN-OS Auth Bypass — perimeter VPN compromise that delivers network access; MiniPlasma then escalates privilege on any Windows endpoint reached through that VPN.
- 🔴 CVE-2026-34926: Trend Micro Apex One Zero-Day — endpoint security platform weaponized as delivery mechanism. CISA KEV June 4.
Sources and further reading
- BleepingComputer — New Windows MiniPlasma Zero-Day Exploit Gives SYSTEM Access, PoC Released
- The Hacker News — MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation
- ThreatLocker Security Lab — MiniPlasma: Windows Privilege Escalation Zero-Day Affects Fully Patched Systems
- CybersecurityNews — New Windows MiniPlasma Zero-Day Let Attackers Gain SYSTEM Access
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #13 — May 19, 2026. Browse the full threat brief series. Next: CVE-2026-42897 Exchange OWA Zero-Day · Previous: Fragnesia CVE-2026-46300 (May 18).
