Executive Summary
A critical zero-day vulnerability, designated MiniPlasma, has been discovered in the Windows Cloud Files Mini Filter Driver (cldflt.sys), specifically within the HsmOsBlockPlaceholderAccess routine. This flaw enables local privilege escalation (LPE) to SYSTEM on fully patched versions of Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025. Despite being previously addressed as CVE-2020-17103, recent research and public proof-of-concept (PoC) code confirm that the vulnerability remains exploitable on all supported Windows builds as of May 2026. The exploit is trivial to use, has been publicly weaponized, and is expected to be rapidly adopted by threat actors. Immediate detection and mitigation steps are strongly advised, as no official patch is yet available.
Technical Information
The MiniPlasma vulnerability is rooted in a race condition within the HsmOsBlockPlaceholderAccess routine of cldflt.sys, a core component of the Windows Cloud Files Mini Filter Driver. This driver is responsible for managing cloud file access and placeholder files in OneDrive and other cloud-integrated storage solutions. The vulnerability allows a standard user to escalate privileges to SYSTEM by exploiting a timing issue during placeholder file access checks.
The exploit leverages the fact that the driver’s access control logic can be bypassed if two threads simultaneously manipulate placeholder file states and registry keys. The PoC, published by Nightmare-Eclipse (Chaotic Eclipse) on GitHub, demonstrates that a non-administrative user can reliably spawn a SYSTEM shell on fully patched Windows 10, Windows 11, and Windows Server systems. The exploit is based on the original research by James Forshaw of Google Project Zero, whose PoC required no modification to function on current Windows builds, indicating that the original patch was either incomplete or silently reverted.
The attack sequence involves orchestrating a race between file system operations and registry manipulations, exploiting the window where the driver’s validation logic is inconsistent. The PoC, named PoC_AbortHydration_ArbitraryRegKey_EoP, suggests that arbitrary registry key manipulation is a key component of the exploit chain. The exploit’s reliability is high on most systems, though the success rate may vary depending on system load and timing.
Security researcher Will Dormann has independently confirmed that the exploit works on fully patched Windows 11 (including 26H1) as of May 2026, but not on the latest Insider Preview Canary builds, which reportedly contain a fix. The vulnerability is not mitigated by standard endpoint protection solutions, as it does not require code injection or exploitation of memory corruption, but rather abuses legitimate driver logic.
Exploitation in the Wild
A fully functional PoC for MiniPlasma is publicly available on GitHub, significantly lowering the barrier for exploitation. The exploit has been validated by multiple independent researchers, including Will Dormann, who confirmed SYSTEM-level shell access on up-to-date Windows 11 systems. While there are no confirmed reports of active exploitation by advanced persistent threat (APT) groups or ransomware operators as of this writing, the public availability and ease of use of the exploit make widespread adoption highly probable.
Historical patterns indicate that similar LPE vulnerabilities, such as those in the GreenPlasma and YellowKey families, were rapidly integrated into post-exploitation toolkits and ransomware campaigns within days of public disclosure. Security researchers and threat intelligence analysts expect MiniPlasma to follow this trajectory, especially given the lack of an official patch and the criticality of SYSTEM-level access.
Indicators of compromise (IOCs) associated with exploitation include the unexpected spawning of cmd.exe or other shells with SYSTEM privileges from non-administrative user sessions, abnormal access patterns to cldflt.sys, and registry key manipulations consistent with the PoC’s methodology.
APT Groups using this vulnerability
As of this report, there is no direct attribution of MiniPlasma exploitation to specific APT groups. However, the vulnerability’s characteristics—public PoC, SYSTEM-level access, and applicability to all supported Windows versions—make it highly attractive to both state-sponsored actors and financially motivated cybercriminals. Previous vulnerabilities in the same class, such as those exploited by the BlueHammer, RedSun, and UnDefend toolkits, were quickly adopted by ransomware operators and APTs alike.
Given the rapid weaponization observed with similar LPEs, organizations should assume that exploitation by sophisticated threat actors is imminent. The lack of a patch and the ubiquity of the affected driver across enterprise environments further increase the risk profile.
Affected Product Versions
All supported versions of Windows 10, Windows 11 (including 22H2, 23H2, and 26H1), Windows Server 2022, and Windows Server 2025 are confirmed to be vulnerable as of May 2026. The vulnerability is present on systems with the latest security updates applied. The only known exception is the Windows 11 Insider Preview Canary builds, which reportedly contain a fix for the underlying flaw.
This assessment is corroborated by multiple sources, including The Hacker News, Security Affairs, and direct statements from security researchers. The vulnerability is believed to affect all editions and deployment scenarios, including both client and server environments.
Workaround and Mitigation
There is currently no official patch from Microsoft for the MiniPlasma vulnerability. However, Microsoft is reportedly addressing the issue in the Insider Preview Canary builds of Windows 11, suggesting that a fix is forthcoming in future cumulative updates.
In the interim, organizations should implement the following mitigation and detection strategies. Monitor for the spawning of SYSTEM-level shells (cmd.exe, powershell.exe, or similar) from non-administrative user sessions, as this is a strong indicator of exploitation. Audit and restrict access to cldflt.sys where feasible, though this may impact cloud file functionality. Monitor for registry key manipulations, particularly those consistent with the PoC’s methodology. Restrict local user access to sensitive systems and enforce the principle of least privilege to limit the potential impact of exploitation. Increase logging and alerting around privilege escalation events and anomalous driver activity.
Endpoint detection and response (EDR) solutions should be configured to flag suspicious process creation events and registry modifications. While these measures cannot prevent exploitation, they can provide early warning of compromise and facilitate rapid incident response.
References
- Nightmare-Eclipse/MiniPlasma GitHub PoC
- The Hacker News: MiniPlasma Windows 0-Day
- Security Affairs: MiniPlasma Zero-Day
- Reddit: MiniPlasma Exploit Discussion
- MITRE ATT&CK T1068
- Will Dormann on Mastodon
- Google Project Zero: CVE-2020-17103
Rescana is here for you
Rescana is committed to providing actionable threat intelligence and proactive risk management for our customers. Our third-party risk management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. While no single solution can eliminate all vulnerabilities, a robust TPRM strategy is essential for reducing exposure and accelerating response to emerging threats like MiniPlasma. For any questions, further guidance, or custom threat intelligence, please contact us at ops@rescana.com.
