New ‘MiniPlasma’ Windows Zero-Day Exploit Grants SYSTEM Access on Fully Updated PCs

A newly disclosed Windows privilege escalation exploit is raising concerns across the cybersecurity sector after researchers demonstrated that it can grant attackers SYSTEM-level access on fully updated Windows machines. The exploit, dubbed “MiniPlasma,” targets a component tied to Microsoft’s Cloud Filter technology and has already been verified on current public builds of Windows 11.

The disclosure comes amid growing scrutiny over how major technology companies handle vulnerability reports and bug bounty submissions, an issue that continues to affect enterprise security teams in Canada and globally as organizations face increasingly sophisticated cyber threats.

Researcher Releases Public Proof-of-Concept Exploit

The exploit was published by cybersecurity researcher Chaotic Eclipse, also known online as Nightmare Eclipse. The researcher released both source code and a compiled executable through GitHub after alleging that Microsoft failed to completely resolve a previously reported flaw dating back to 2020.

According to the disclosure, the vulnerability affects the Windows cldflt.sys Cloud Filter driver, specifically the HsmOsBlockPlaceholderAccess routine. The issue was originally identified by Google Project Zero researcher James Forshaw in September 2020.

At the time, Microsoft tracked the flaw as CVE-2020-17103 and said it had been patched in December of that year.

However, Chaotic Eclipse now claims the underlying vulnerability remains exploitable.

“After investigating, it turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched,” the researcher stated.

The researcher also suggested the original fix may never have fully addressed the issue or may have been unintentionally reverted in later Windows updates.

Tests Confirm Exploit Works on Current Windows 11 Builds

Security publication BleepingComputer reported that it successfully tested the exploit on a fully patched Windows 11 Pro system running Microsoft’s May 2026 Patch Tuesday updates.

During testing, the exploit was executed from a standard user account and reportedly opened a command prompt with SYSTEM privileges — the highest level of access available on Windows systems.

Will Dormann, principal vulnerability analyst at cybersecurity firm Tharros, independently confirmed that the exploit worked on the latest public release of Windows 11. However, he noted that the vulnerability did not function on the latest Windows 11 Insider Preview Canary build, suggesting Microsoft may already be testing a mitigation internally.

For Canadian businesses and public-sector organizations relying heavily on Windows infrastructure, privilege escalation vulnerabilities remain particularly significant because they can allow attackers who already have limited access to gain full administrative control over systems.

How the MiniPlasma Exploit Works

The exploit appears to target how the Windows Cloud Filter driver handles registry key creation through an undocumented API known as CfAbortHydration.

Forshaw’s original 2020 research indicated the flaw could permit arbitrary registry keys to be created inside the .DEFAULT user hive without sufficient access validation. In practice, this behaviour may enable attackers to elevate privileges from a regular user account to SYSTEM-level access.

Although Microsoft previously stated that the issue had been resolved as part of its December 2020 security updates, the latest disclosure suggests the vulnerability may still exist in publicly deployed Windows environments.

Microsoft has not yet publicly commented on the renewed claims. BleepingComputer reported that it contacted the company for clarification and potential response.

Part of a Growing Series of Windows Zero-Day Disclosures

MiniPlasma is the latest in a string of Windows security disclosures released by Chaotic Eclipse in recent weeks.

The series reportedly began in April with “BlueHammer,” a Windows local privilege escalation vulnerability tracked as CVE-2026-33825. That disclosure was followed by another escalation flaw called “RedSun” and a Windows Defender denial-of-service tool known as “UnDefend.”

According to the researcher, some of the previously disclosed vulnerabilities were later observed being used in active attacks. The researcher also alleged that Microsoft silently fixed the RedSun issue without assigning it an official CVE identifier.

Earlier this month, the researcher published two additional exploits named “YellowKey” and “GreenPlasma.”

YellowKey reportedly targets BitLocker protections on Windows 11 and Windows Server 2022 and 2025 systems configured with TPM-only authentication. The exploit allegedly enables access to unlocked encrypted drives by spawning a command shell.

Dispute Over Vulnerability Disclosure Process

Chaotic Eclipse has publicly stated that the ongoing release of Windows zero-days is tied to dissatisfaction with Microsoft’s vulnerability disclosure and bug bounty process.

In public comments accompanying the disclosures, the researcher accused Microsoft of mishandling communications and discouraging cooperation during the reporting process.

Microsoft has previously said it supports coordinated vulnerability disclosure and remains committed to investigating reported security issues and protecting users through software updates.

The latest disclosure highlights the continuing tension between independent security researchers and large software vendors over disclosure timelines, patch verification, and researcher relations — issues that remain central to global cybersecurity policy discussions, including within Canada’s growing digital security sector.

Ongoing Risk for Windows Users

While no widespread attacks linked specifically to MiniPlasma have yet been publicly confirmed, the availability of a working proof-of-concept exploit significantly raises the risk of abuse by threat actors.

Cybersecurity professionals generally advise organizations to closely monitor Microsoft security advisories, restrict unnecessary local access privileges, and maintain layered endpoint protection measures while awaiting further clarification or potential patches.

As investigations continue, the MiniPlasma disclosure serves as another reminder that even previously patched vulnerabilities can sometimes resurface, creating renewed risks for governments, businesses, and everyday Windows users alike.