Windows Zero-Day 'MiniPlasma' Gives Attackers Full SYSTEM Access on Fully Patched Systems
A newly disclosed Windows zero-day vulnerability dubbed MiniPlasma is raising serious alarms across the cybersecurity community after a fully weaponized proof-of-concept exploit was publicly released on GitHub, granting any standard user complete SYSTEM-level control over fully patched Windows machines - with no administrator rights required.
Severity: ๐ด Critical
CVE Reference: CVE-2020-17103
Patch Status: โ Unpatched as of May 28, 2026
Next Patch Window: June 10, 2026 (Patch Tuesday)
MITRE ATT&CK: TA0004 / T1068
Background
A critical Windows zero-day vulnerability dubbed MiniPlasma has emerged as one of
the most significant privilege escalation threats in recent memory. The exploit allows
any standard Windows user - with no administrative privileges, no user interaction,
and no special configuration - to gain complete NT AUTHORITY\SYSTEM control over
a fully patched Windows machine in seconds.
What makes MiniPlasma particularly alarming is not just the severity of the vulnerability itself, but the story behind it. The flaw is not new. It was first discovered and responsibly disclosed to Microsoft by James Forshaw of Google Project Zero in September 2020, assigned CVE-2020-17103, and reportedly patched as part of Microsoft's December 2020 Patch Tuesday updates. For over five years, the vulnerability was considered closed - a resolved finding sitting quietly in vulnerability management platforms across thousands of organizations worldwide.
In May 2026, security researcher Nightmare-Eclipse - also known as Chaotic Eclipse - made a disturbing discovery: the original Google Project Zero proof-of-concept code required zero modifications to achieve full SYSTEM-level exploitation on the latest fully patched Windows 11 systems. The patch that organizations had relied upon for half a decade had either never been properly applied or had been silently rolled back at some unknown point during a subsequent Windows update cycle.
The Exploit
What Is MiniPlasma?
MiniPlasma is a Local Privilege Escalation (LPE) exploit targeting the
Windows Cloud Files Mini Filter Driver (cldflt.sys), specifically a routine
called HsmOsBlockPlaceholderAccess. This driver is a core Windows kernel component
responsible for managing cloud-backed file access and placeholder file handling -
the technology that makes OneDrive files appear local even when they only exist
in the cloud.
Because OneDrive is deeply integrated into Windows 10 and Windows 11 by default,
cldflt.sys is present and active on the vast majority of Windows installations
across enterprise, government, and consumer environments - making the attack
surface exceptionally broad.
How the Exploit Works
MiniPlasma exploits a race condition - a timing flaw - inside the
HsmOsBlockPlaceholderAccess routine. The full attack chain is as follows:
Phase 1 - Initialization:
The attacker runs the PowerShell-based exploit from any standard user account.
No elevated privileges, no UAC bypass, and no social engineering of other users
is required.
Phase 2 - Race Condition Trigger:
The exploit simultaneously launches multiple threads targeting placeholder file
operations within cldflt.sys, exploiting a timing window inside the
HsmOsBlockPlaceholderAccess routine where the driver's access validation logic
is inconsistent between threads.
Phase 3 - Arbitrary Registry Write:
The exploit abuses the undocumented CfAbortHydration API to write an arbitrary
registry key into the HKEY_USERS\.DEFAULT hive - a location that normally
requires elevated system privileges - bypassing all standard Windows access checks.
Two specific registry paths are manipulated during this phase:
\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps*
\Registry\User.DEFAULT\Volatile Environment*
Phase 4 - Token Manipulation:
Windows thread impersonation mechanisms are abused, allowing the attacker to
hijack privileged tokens associated with the driver's kernel-level execution context.
Phase 5 - SYSTEM Shell:
A fully interactive NT AUTHORITY\SYSTEM command shell (cmd.exe) is spawned
from the standard user session. The attacker now has unrestricted, highest-level
control over the entire system.
Technical Root Cause
The root cause is a Time-of-Check to Time-of-Use (TOCTOU) race condition in
the HsmOsBlockPlaceholderAccess routine. The driver's access control logic
contains a timing window during placeholder file access checks where two
simultaneous threads can manipulate placeholder file states and registry keys
before validation is completed. This inconsistency allows an attacker to
slip into the window between the access check and the actual access,
causing the kernel to act on attacker-controlled content with SYSTEM context.
Critically - the exploit does not bypass Secure Boot, Virtualization-Based Security (VBS), or Hypervisor-Protected Code Integrity (HVCI). It targets a pure logic flaw in how the driver handles placeholder files and registry operations. This means even organizations running hardened security configurations are fully exposed.
Proof of Concept
The MiniPlasma PoC was publicly released on GitHub on May 13, 2026 - deliberately one day after Microsoft's May 2026 Patch Tuesday - maximizing the exploitation window by ensuring no official fix would be available for a minimum of 30 days.
| Attribute | Details |
|---|---|
| PoC Name | MiniPlasma |
| Author | Nightmare-Eclipse (Chaotic Eclipse) |
| Release Date | May 13, 2026 |
| Platform | GitHub (Public) |
| Language | C# (.NET) |
| PoC File | PoC_AbortHydration_ArbitraryRegKey_EoP.exe |
| GitHub Stars | 390+ within days of release |
| Requires Admin | โ No |
| Requires User Interaction | โ No |
| Reliability | High on modern multi-core systems |
The exploit is straightforward to run, PowerShell-based, and requires minimal technical expertise - making it accessible not just to sophisticated threat actors but to low-skill opportunistic attackers as well.
Independent Verification
Multiple independent security researchers and organizations have confirmed MiniPlasma works exactly as described:
- ThreatLocker - Lab-confirmed SYSTEM shell on fully patched Windows 11 Pro, including a video demonstration. Confirmed working on latest May 2026 updates.
- Will Dormann, Principal Vulnerability Analyst, Tharros - Independently verified SYSTEM-level access on Windows 11 including build 26H1 with May 2026 updates. Confirmed it does not work on Windows 11 Insider Preview Canary build.
- BleepingComputer - Tested on a fresh Windows 11 Pro installation with latest May 2026 Patch Tuesday updates - successfully opened a SYSTEM-level command prompt from a standard user account.
- Rescana - Confirmed working on Windows 11 22H2, 23H2, and 26H1.
Affected Systems
All systems listed below remain vulnerable even after applying the May 2026 Patch Tuesday cumulative updates - the most recent security patches available as of this report.
| Operating System | Version | Status |
|---|---|---|
| Windows 11 | 22H2, 23H2, 24H2, 26H1 | โ Confirmed Vulnerable |
| Windows Server 2022 | All editions | โ Confirmed Vulnerable |
| Windows Server 2025 | All editions | โ Confirmed Vulnerable |
| Windows Server 2019 | All editions | โ Confirmed Vulnerable |
| Windows 10 | All editions | โ ๏ธ Not Confirmed - Under Investigation |
| Windows 11 Insider Preview Canary | Latest build | โ Not Affected |
Note on Windows 10: Sources are conflicted. ThreatLocker - who independently lab-tested the exploit - states Windows 10 does not appear to be affected. However, GovCERT Hong Kong's official government advisory and Rescana explicitly list Windows 10 as vulnerable. Organizations running Windows 10 should apply the same detection and mitigation measures as Windows 11 environments until Microsoft provides definitive clarification.
The Researcher Behind MiniPlasma
MiniPlasma is the sixth exploit released by Nightmare-Eclipse in six consecutive weeks between April and May 2026. The researcher has demonstrated deep technical knowledge of Windows kernel internals and has established a clear and deliberate pattern of releasing fully weaponized exploits one day after Patch Tuesday - maximizing the window of exposure for each release.
| # | Exploit | Release | Status |
|---|---|---|---|
| 1 | BlueHammer | April 2026 | โ Confirmed exploited in wild |
| 2 | RedSun | April 2026 | โ Confirmed exploited in wild |
| 3 | UnDefend | April 2026 | โ Confirmed exploited in wild |
| 4 | YellowKey | May 2026 | โ ๏ธ Active monitoring |
| 5 | GreenPlasma | May 2026 | โ ๏ธ Active monitoring |
| 6 | MiniPlasma | May 13, 2026 | ๐ด Unpatched - exploitation imminent |
The first three exploits in this series - BlueHammer, RedSun, and UnDefend - were all confirmed exploited in real-world attacks within days of public disclosure. Based on this established pattern, security researchers and threat intelligence analysts consider active exploitation of MiniPlasma by ransomware operators and APT groups to be imminent.
Microsoft's Response
Microsoft acknowledged the MiniPlasma vulnerability on May 18, 2026 via security advisory ADV260005 - five days after the public exploit release. However, the company has not issued an emergency out-of-band patch, citing that exploitation requires local authenticated access and that no active exploitation in the wild has been confirmed.
When contacted by SecurityWeek, a Microsoft spokesperson stated:
"Microsoft is investigating this report and will take appropriate action to protect customers as soon as possible."
No new CVE has been assigned specifically to the MiniPlasma re-emergence. Microsoft has pointed to the original CVE-2020-17103 entry, which now shows a Last Modified date of May 18, 2026 on NVD - suggesting the entry is being reassessed.
The earliest expected official fix is June 10, 2026 - the next scheduled Patch Tuesday. This means organizations face a minimum 28-day window with no official patch and a fully public, weaponized exploit in circulation.
This is not the first time this specific driver has been exploited. In
December 2025, Microsoft patched a separate privilege escalation flaw
in the same cldflt.sys component - CVE-2025-62221 - which was confirmed
as actively exploited in the wild at the time of patching.
Government CERT Advisories
Multiple national cybersecurity agencies have issued formal advisories:
| Agency | Advisory ID | Threat Level | Date |
|---|---|---|---|
| GovCERT Hong Kong | A26-05-30 | ๐ด High Threat | May 18, 2026 |
| CIRT Jamaica | - | ๐ด High Threat | May 2026 |
| Microsoft MSRC | ADV260005 | Acknowledged | May 18, 2026 |
Indicators of Compromise (IOCs)
File-Based IOCs
| Type | Value | Description |
|---|---|---|
| Filename | PoC_AbortHydration_ArbitraryRegKey_EoP.exe | MiniPlasma compiled exploit binary |
| Filename | MiniPlasma.exe | Alternative weaponized binary name |
| Driver | cldflt.sys | Targeted vulnerable Windows kernel driver |
| Language | C# (.NET) | Watch for unusual C# compilation activity |
| File Hash | Not yet published | Compile-dependent - no vendor hash released |
Registry-Based IOCs
| Registry Path | Confidence | Description |
|---|---|---|
\Registry\User\.DEFAULT\Volatile Environment* | ๐ด Critical | Arbitrary write target - strongest IOC |
\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* | ๐ด Critical | Manipulated during Phase 3 |
HKEY_USERS\.DEFAULT | ๐ High | Hive targeted for unauthorized key creation |
Process-Based IOCs
| Process | Behaviour | Confidence |
|---|---|---|
cmd.exe | Spawned as NT AUTHORITY\SYSTEM from standard user | ๐ด Critical |
powershell.exe | Running at SYSTEM integrity from low-privilege parent | ๐ด Critical |
cldflt.sys | Abnormal DeviceIoControl calls | ๐ High |
MITRE ATT&CK Mapping
| Kill Chain Phase | Attack Activity | Technique ID |
|---|---|---|
| Execution | PowerShell-based exploit runs from standard user account | T1059.001 |
| Privilege Escalation | Race condition in cldflt.sys exploited to escalate to SYSTEM | T1068 |
| Privilege Escalation | SYSTEM token hijacked via Windows thread impersonation | T1134.001 |
| Defense Evasion | Arbitrary registry key written to HKEY_USERS\.DEFAULT bypassing access checks | T1112 |
Recommendations
Immediate (0โ24 Hours)
- Monitor and alert on writes to
\Registry\User\.DEFAULT\Volatile Environment*and\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps*from non-SYSTEM processes - Configure EDR/SIEM to alert on
cmd.exeorpowershell.exespawning asNT AUTHORITY\SYSTEMfrom standard user sessions - Enable EDR tamper protection
- Block
PoC_AbortHydration_ArbitraryRegKey_EoP.exeandMiniPlasma.exevia application blocklists - Enforce least privilege - remove unnecessary local admin rights immediately
- Deploy ThreatLocker Community Policy
TL.REG.1747if applicable
Short-Term (24โ72 Hours)
- Implement application allowlisting via WDAC or AppLocker - the single most effective mitigation currently available
- Enable Attack Surface Reduction (ASR) rules via Group Policy or Intune
- Enable PowerShell Script Block Logging (Event ID 4104) and restrict
execution policy to
AllSigned - Re-mark CVE-2020-17103 as open/unresolved in your vulnerability management platform - remove any closed status applied in 2020
Patch Management
- Monitor Microsoft advisory ADV260005 for updates
- When patch releases June 10, 2026 - deploy within 24 hours, not the standard 30-day cycle
- Independently validate patch effectiveness after deployment - do not assume remediation based on KB number alone given MiniPlasma's patch regression history
Strategic Context
MiniPlasma is a sobering reminder that patching is not a one-time event - it is a continuous assurance process. A vulnerability declared fixed in 2020 is fully exploitable in 2026 on the most current, fully updated Windows systems. Organizations that closed CVE-2020-17103 in their vulnerability management platforms six years ago had no reason to retest it. Their scanners showed it as resolved. Their compliance reports reflected a closed finding. Yet the vulnerability was live.
This incident raises a broader and uncomfortable question for the entire industry: how many other "patched" vulnerabilities have silently regressed in Windows cumulative updates without anyone noticing?
Key Facts Summary
| Attribute | Details |
|---|---|
| Vulnerability Name | MiniPlasma |
| CVE | CVE-2020-17103 |
| CVSS Score | 7.8 (High) |
| CWE | CWE-269 - Improper Privilege Management |
| Component | cldflt.sys - Windows Cloud Files Mini Filter Driver |
| Researcher | Nightmare-Eclipse / Chaotic Eclipse |
| Original Discovery | James Forshaw, Google Project Zero (September 2020) |
| Public Disclosure | May 13, 2026 |
| Microsoft Advisory | ADV260005 (May 18, 2026) |
| Patch Available | โ No |
| Next Patch Window | June 10, 2026 |
| PoC Public | โ Yes - GitHub |
| Actively Exploited | โ ๏ธ Not confirmed - imminent risk |
| MITRE Tactic | TA0004 - Privilege Escalation |
| MITRE Technique | T1068 - Exploitation for Privilege Escalation |
References
| # | Source | URL |
|---|---|---|
| 1 | ThreatLocker Blog | threatlocker.com/blog/miniplasma |
| 2 | BleepingComputer | bleepingcomputer.com |
| 3 | The Hacker News | thehackernews.com |
| 4 | SecurityWeek | securityweek.com |
| 5 | GovCERT Hong Kong - A26-05-30 | govcert.gov.hk |
| 6 | Rescana CVE Analysis | rescana.com |
| 7 | NormCyber Threat Bulletin | normcyber.com |
| 8 | Tenable Nessus Plugin 316497 | tenable.com |
| 9 | VulDB Entry 363159 | vuldb.com |
| 10 | CIRT Jamaica Advisory | cirt.gov.jm |
| 11 | GitHub PoC Repository | github.com/Nightmare-Eclipse/MiniPlasma |
| 12 | Microsoft MSRC - CVE-2020-17103 | msrc.microsoft.com |
| 13 | MITRE ATT&CK T1068 | attack.mitre.org/techniques/T1068 |
This article is intended for cybersecurity professionals and SOC analysts.
Tags
Related_Intelligence_Nodes
NGINX Hit by Critical 18-Year-Old Vulnerability โ Patch Now
Every Default Ubuntu Desktop Installation Since 24.04 Has a Root Privilege Escalation Bug. Here Is How It Works.
