New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released

At a glance:

• A proof-of-concept exploit named MiniPlasma grants SYSTEM privileges on fully patched Windows 11 systems by abusing an unpatched Cloud Filter driver flaw first reported in 2020.
• The exploit targets the 'cldflt.sys' driver's HsmOsBlockPlaceholderAccess routine and CfAbortHydration API, allowing arbitrary registry key creation in the .DEFAULT user hive.
• Researcher Chaotic Eclipse has released a string of Windows zero-days over the past month, including BlueHammer (CVE-2026-33825), RedSun, UnDefend, YellowKey, and GreenPlasma, citing protest against Microsoft's bug bounty and vulnerability-handling process.

What is the MiniPlasma zero-day?

MiniPlasma is a local privilege escalation vulnerability that security researcher Chaotic Eclipse (also known as Nightmare Eclipse) disclosed as a full proof-of-concept on GitHub. The exploit includes both source code and a compiled executable. BleepingComputer confirmed its effectiveness on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates, where a standard user account successfully opened a command prompt with SYSTEM privileges after running the exploit.

According to the researcher, the flaw resides in the Cloud Filter driver (cldflt.sys) and specifically the 'HsmOsBlockPlaceholderAccess' routine. This same issue was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and assigned CVE-2020-17103. Microsoft claimed to have fixed it in December 2020, but Chaotic Eclipse discovered the vulnerability is still present. "After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," they explained, adding that the original PoC from Google worked without any modifications.

How the exploit works

The attack abuses the Windows Cloud Filter driver's handling of registry key creation through an undocumented API called CfAbortHydration. Forshaw's original report noted that the flaw could permit arbitrary registry keys to be written to the .DEFAULT user hive without proper access checks, which can be leveraged for privilege escalation. Will Dormann, principal vulnerability analyst at Tharros, independently confirmed the exploit works on the latest public Windows 11 version but noted that it does not function on the latest Windows 11 Insider Preview Canary build, suggesting a potential fix may be in the pipeline.

The researcher's disclosure spree

MiniPlasma is part of a broader wave of Windows zero-days released by Chaotic Eclipse in recent weeks. The disclosure campaign began in April with:

• BlueHammer — a Windows local privilege escalation flaw tracked as CVE-2026-33825.
• RedSun — another privilege escalation vulnerability that Microsoft later silently patched without assigning a CVE.
• UnDefend — a Windows Defender denial-of-service tool.
• YellowKey — a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025, which spawns a command shell giving access to unlocked drives protected by TPM-only BitLocker configurations.
• GreenPlasma — another exploit released this month.

All three early disclosures (BlueHammer, RedSun, UnDefend) were observed being exploited in attacks after publication.

Why it matters

The repeated disclosure of working zero-days without coordinated remediation puts millions of Windows users at elevated risk, especially since the exploits target core OS components like the Cloud Filter driver and BitLocker. Chaotic Eclipse has publicly stated their motivation is protest against Microsoft's bug bounty and vulnerability-handling process, alleging personal mistreatment by the company. "Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did," the researcher told BleepingComputer.

Microsoft has not yet commented on the MiniPlasma disclosure. The company previously told BleepingComputer that it supports coordinated vulnerability disclosure and is committed to investigating reported security issues. Given that the original CVE-2020-17103 was allegedly never fully fixed, this incident raises questions about the completeness of Microsoft's patch validation—specifically for security bugs reported from external researchers.

What to watch next

Organizations should monitor for active exploitation of MiniPlasma and the other disclosed exploits, especially on systems where patching is delayed. The fact that the exploit fails on the Canary build suggests Microsoft may have addressed the underlying issue in an upcoming release, but until a formal security update is shipped, users remain exposed. The broader trend of public, protest-driven zero-day disclosures may pressure Microsoft to revisit its vulnerability response process, but it also creates an immediate operational security burden for IT teams worldwide.