A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged in the wild with a public proof-of-concept exploit that allows attackers to achieve SYSTEM-level privileges on fully patched Windows systems. The disclosure has triggered widespread alarm in the security community, exposing every version of Windows to potential compromise until a patch is issued.
The Vulnerability: A Six-Year-Old Ghost Returns
Security researcher Nightmare-Eclipse published the weaponized MiniPlasma exploit on GitHub on May 13, 2026, claiming that Microsoft either failed to patch or silently rolled back the fix for a vulnerability originally reported six years ago. The flaw targets the cldflt.sys Cloud Filter driver’s HsmOsBlockPlaceholderAccess routine — a component integral to Windows cloud storage synchronization services such as OneDrive.
The vulnerability was initially discovered and reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Microsoft assigned it CVE-2020-17103 and reportedly issued a fix in December 2020 as part of its Patch Tuesday updates. However, Nightmare-Eclipse’s research confirms that the same issue documented in Forshaw’s original report remains fully exploitable today without any modification to the original proof-of-concept code.
How MiniPlasma Works
The vulnerability allows unprivileged users to create arbitrary registry keys in the .DEFAULT user hive without proper access checks. According to Google Project Zero’s original research, the flaw lies in how the HsmOsBlockPlaceholderAccess function handles registry key creation — specifically, the function fails to specify the OBJ_FORCE_ACCESS_CHECK flag, enabling attackers to bypass normal access restrictions and write keys to the .DEFAULT user hive even though standard users lack such permissions.
The MiniPlasma proof-of-concept weaponizes this behavior by exploiting a race condition that toggles between user and anonymous tokens to manipulate the RtlOpenCurrentUser function at the kernel level. When the race condition is won, the system opens the .DEFAULT hive for writing while thread impersonation is reverted, allowing unauthorized key creation. Running the exploit from a standard user account successfully opens a command prompt with full SYSTEM privileges — granting attackers complete control over the compromised machine.
Scope and Impact
The MiniPlasma vulnerability affects all versions of Windows, making it a significant threat across enterprise environments, workstations, and cloud-synchronized deployments. The Cloud Filter driver (cldflt.sys) is present and active on a broad range of Windows installations due to its role in OneDrive and cloud file synchronization — meaning the vulnerable code path runs on an exceptionally wide surface area.
The researcher timed the disclosure to follow immediately after Microsoft’s May 2026 Patch Tuesday cycle, intentionally leaving organizations without an official fix until at least the next scheduled monthly update. The GitHub repository accumulated over 390 stars within days of publication, indicating rapid uptake by the security research community — and potentially by malicious actors as well.
Why This Matters for Enterprise Security
Privilege escalation vulnerabilities with public PoC exploits are among the most dangerous classes of vulnerability for enterprise defenders. They do not require any interaction from a target user and can be chained with initial access techniques — such as phishing, web application exploitation, or supply chain compromises — to quickly achieve full administrative control over a victim system.
In ransomware attack chains, privilege escalation is a critical step that allows attackers to disable security tools, spread laterally through a network, and exfiltrate data before deploying encryption payloads. A reliable, public SYSTEM-level privilege escalation exploit for all Windows versions dramatically lowers the bar for sophisticated follow-on attacks.
Recommended Mitigations
While waiting for an official Microsoft patch, organizations should consider the following defensive measures:
- Monitor systems for unusual SYSTEM-level process spawning from unprivileged parent processes, which may indicate exploitation attempts
- Review and restrict access to the Cloud Filter driver (cldflt.sys) in environments where cloud storage synchronization is not required
- Deploy endpoint detection and response (EDR) solutions capable of detecting race condition exploits and anomalous registry key creation activity
- Apply the principle of least privilege rigorously — limit standard user accounts and ensure administrative access is restricted to approved personnel
- Monitor GitHub and public exploit repositories for MiniPlasma variants and updated PoC code
- Prioritize the installation of the next Microsoft Patch Tuesday update as soon as it is released
Looking Ahead
The MiniPlasma case highlights a troubling pattern: vulnerabilities that were supposedly patched years ago resurface either due to incomplete fixes, regression in later code changes, or the reintroduction of vulnerable components through system updates. Organizations cannot assume that previously patched vulnerabilities remain closed indefinitely — continuous monitoring, layered defenses, and rapid patch adoption remain the only reliable long-term strategies.