A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed “MiniPlasma” that lets attackers gain SYSTEM privileges on fully patched Windows systems.
The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability.
According to the researcher, the flaw impacts the ‘cldflt.sys‘ Cloud Filter driver and its ‘HsmOsBlockPlaceholderAccess‘ routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020.
“After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched,” explains Chaotic Eclipse.
“I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes.”
BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates.
In our test, we used a standard user account, and after running the exploit, it opened a command prompt with SYSTEM privileges, as shown in the image below.
Source: BleepingComputer
Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11. However, he said that the flaw does not work in the latest Windows 11 Insider Preview Canary build.
The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. Forshaw’s original report said that the flaw could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, potentially enabling privilege escalation.
While Microsoft reports having fixed the bug as part of its December 2020 Microsoft Patch Tuesday, Chaotic Eclipse now claims the vulnerability can still be exploited.
BleepingComputer contacted Microsoft about this additional zero-day and will update this story if we receive a response.
Researcher behind the recent string of Windows zero-days
MiniPlasma is the latest in a string of Windows zero-day disclosures published by the researcher over the past several weeks.
The disclosure spree began in April with BlueHammer, a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun, and a Windows Defender DoS tool, UnDefend.
After their disclosure, all three vulnerabilities were spotted being exploited in attacks. According to the researcher, Microsoft silently patched the RedSun issue without assigning it a CVE identifier.
This month, the researcher also released two additional exploits named YellowKey and GreenPlasma.
YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.
Chaotic Eclipse has previously stated that they are publicly disclosing these Windows zero-days in protest of Microsoft’s bug bounty and vulnerability-handling process.
“Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I’m not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything,” alleged the researcher.
“They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.”
Microsoft previously told BleepingComputer that it supports coordinated vulnerability disclosure and is committed to investigating reported security issues and protecting customers through updates.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
