A researcher known as Chaotic Eclipse has released a proof-of-concept exploit for a Windows privilege escalation zero-day called MiniPlasma, which grants SYSTEM access on fully patched systems running the latest May 2026 updates. The flaw affects the cldflt.sys Cloud Filter driver and its HsmOsBlockPlaceholderAccess routine, originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and assigned CVE-2020-17103. Microsoft claimed to have fixed the issue in December 2020, but Chaotic Eclipse asserts the exact same vulnerability remains unpatched, with the original proof-of-concept working without modification.
BleepingComputer tested the exploit on a fully updated Windows 11 Pro system using a standard user account and confirmed it successfully opened a command prompt with SYSTEM privileges. Will Dormann of Tharros Labs verified the exploit works on the latest public Windows 11 build but noted it does not function on the newest Windows 11 Insider Preview Canary build. The exploit abuses how the Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API, allowing arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks.
This disclosure follows a string of Windows zero-day releases from the same researcher, including BlueHammer tracked as CVE-2026-33825, RedSun, UnDefend, YellowKey BitLocker bypass, and GreenPlasma. The researcher claims these public disclosures protest Microsoft's bug bounty and vulnerability-handling process, alleging personal mistreatment by the company. Microsoft previously stated it supports coordinated vulnerability disclosure and is committed to investigating reported security issues. All three earlier disclosed vulnerabilities were observed being exploited in attacks shortly after their public release.
Read more...