MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems

Severity
Medium

Detail

A new Windows zero-day vulnerability named MiniPlasma has been disclosed, affecting the Windows Cloud Files Mini Filter Driver (cldflt.sys). The flaw exists within the HsmOsBlockPlaceholderAccess routine and allows attackers to escalate privileges from a normal user account to full SYSTEM-level access on fully patched Windows systems.

The vulnerability was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and was believed to have been fixed under CVE-2020-17103 in December 2020. However, security researcher Chaotic Eclipse later discovered that the underlying issue still exists and remains exploitable.

The researcher developed a working proof-of-concept (PoC) exploit capable of reliably spawning a SYSTEM-level command shell (cmd.exe) on fully updated Windows 11 systems. Another researcher, Will Dormann, also confirmed successful exploitation on Windows 11 devices running the latest May 2026 security updates. Interestingly, the exploit reportedly does not work on the latest Windows Insider Canary builds, suggesting Microsoft may already be testing a fix internally.

The issue is considered highly dangerous because it impacts fully patched systems and may affect nearly all supported Windows versions. The flaw also follows another privilege escalation vulnerability in the same component, CVE-2025-62221, which Microsoft patched in December 2025 after evidence of active exploitation.

How?

The MiniPlasma vulnerability exploits a race condition inside the cldflt.sys driver, specifically in the HsmOsBlockPlaceholderAccess function. Race conditions occur when multiple processes or threads interact with shared resources simultaneously in unexpected ways, allowing attackers to manipulate execution flow.

An attacker first needs low-privileged access to the target system, such as through malware execution, phishing, or another initial compromise. Once access is obtained, the exploit abuses the vulnerable cloud file handling mechanism to trigger improper operations within the kernel driver.

By carefully timing interactions with the affected function, the attacker can manipulate privileged processes and elevate their permissions to SYSTEM level, the highest privilege level available on Windows. This effectively gives attackers complete control over the compromised machine, allowing them to disable security tools, dump credentials, install persistent malware, or move laterally across a network.

The exploit is reportedly reliable enough to consistently launch a SYSTEM shell on fully updated Windows 11 systems, making it highly practical for real-world attacks. Because the flaw resides in a core Windows driver and uses legitimate system behavior, detection may also be difficult for defenders.

Conclusion

The MiniPlasma vulnerability highlights the ongoing risks posed by privilege escalation flaws in core Windows components. Despite being previously reported years ago, the issue appears to have remained exploitable, raising concerns about incomplete patching or regression within Microsoft’s fixes.

Its ability to grant SYSTEM privileges on fully patched systems makes it especially dangerous for threat actors, as it can be chained with other attacks to gain full control of enterprise environments. The release of a public proof-of-concept further increases the likelihood of active exploitation in the wild.

Organizations should closely monitor Microsoft security advisories for patches, restrict unnecessary local access, monitor for suspicious privilege escalation activity, and implement defense-in-depth strategies to reduce the risk of compromise until an official fix becomes available.

Source

https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html