Introduction to MiniPlasma Zero-Day Exploit
A cybersecurity researcher known as Chaotic Eclipse, or Nightmare Eclipse, has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed 'MiniPlasma' that lets attackers gain SYSTEM privileges on fully patched Windows systems.
The exploit was published on GitHub, with both the source code and a compiled executable available, after the researcher claimed that Microsoft failed to properly patch a previously reported 2020 vulnerability.
Background of the Vulnerability
The flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020. However, Chaotic Eclipse explains that "after investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched."
Testing the Exploit
BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates. In the test, a standard user account was used, and after running the exploit, it opened a command prompt with SYSTEM privileges.
Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11. However, he said that the flaw does not work in the latest Windows 11 Insider Preview Canary build.
Technical Details of the Exploit
The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. Forshaw's original report said that the flaw could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, potentially enabling privilege escalation.
Microsoft's Response and Previous Zero-Days
Microsoft reports having fixed the bug as part of its December 2020 Microsoft Patch Tuesday, but Chaotic Eclipse now claims the vulnerability can still be exploited. BleepingComputer contacted Microsoft about this additional zero-day and will update the story if a response is received.
MiniPlasma is the latest in a string of Windows zero-day disclosures published by the researcher over the past several weeks. The disclosure spree began in April with BlueHammer, a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun, and a Windows Defender DoS tool, UnDefend.
According to the researcher, Microsoft silently patched the RedSun issue without assigning it a CVE identifier. This month, the researcher also released two additional exploits named YellowKey and GreenPlasma.
Motivation Behind the Disclosure
Chaotic Eclipse has previously stated that they are publicly disclosing these Windows zero-days in protest of Microsoft's bug bounty and vulnerability-handling process. The researcher alleged that they were personally told by Microsoft that they would "ruin my life" and claimed that the company did indeed cause them harm.
Microsoft previously told BleepingComputer that it supports coordinated vulnerability disclosure and is committed to investigating reported security issues and protecting customers through updates.
- Chaotic Eclipse released a proof-of-concept exploit for the MiniPlasma zero-day.
- The exploit gives attackers SYSTEM access on fully patched Windows systems.
- The vulnerability was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
- Microsoft reportedly fixed the bug in December 2020, but the researcher claims it is still present.
Source: BleepingComputer