A public proof-of-concept exploit dubbed MiniPlasma has been released for a Windows local privilege escalation flaw that can grant attackers SYSTEM access on fully patched machines. The exploit targets cldflt.sys, the Windows Cloud Files Mini Filter Driver used by cloud sync features such as OneDrive, and specifically abuses the HsmOsBlockPlaceholderAccess routine. Researchers said the bug appears tied to CVE-2020-17103, a vulnerability originally reported by Google Project Zero's James Forshaw in 2020 and believed to have been fixed by Microsoft, but the original exploit path reportedly still works.
The exploit abuses missing access checks and a race condition during token switching to create arbitrary registry keys in the .DEFAULT user hive and ultimately spawn a SYSTEM shell. Researcher Chaotic Eclipse, also referenced as Nightmare-Eclipse, published the code on GitHub, while Will Dormann reported that it works reliably on Windows 11 systems with the May 2026 updates, though not on the latest Insider Preview Canary builds. Because the affected driver is broadly deployed across Windows environments, the release of reliable public exploit code sharply raises near-term risk while organizations await clarification or a fix from Microsoft.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
On 2026-05-23, Nikolas Bielski published analysis showing that several community detections for MiniPlasma/GreenPlasma can be bypassed because they rely too heavily on conhost.exe process-name matching. The article described the exploit’s key artifacts and recommended stronger detections focused on registry activity such as creation of CloudFiles\BlockedApps and a SymbolicLinkValue pointing to Policies\System.
Will Dormann independently reported that MiniPlasma works reliably on Windows 11 systems with the May 2026 updates, though not on the latest Insider Preview Canary builds. This provided outside confirmation that the privilege escalation remained exploitable on current patched releases.
Following the MiniPlasma release, the researcher stated that the vulnerability believed fixed in 2020 still works without changes to the original proof of concept, suggesting Microsoft did not fully remediate the flaw or that the fix regressed. The exploit was said to be capable of spawning a SYSTEM shell across likely all supported Windows versions.
On 2026-05-13, researcher Chaotic Eclipse/Nightmare-Eclipse publicly released a proof-of-concept exploit dubbed MiniPlasma for a Windows local privilege escalation issue in cldflt.sys. The exploit reportedly grants SYSTEM privileges on fully patched systems by abusing missing access checks and a race condition.
The Securelist article says Huntress Labs observed real-world attacks exploiting earlier vulnerabilities from the same disclosure set starting on April 10. This added evidence of active exploitation in the wild connected to the Cloud Files privilege-escalation issues later highlighted by MiniPlasma.
A GitHub repository published a demo proof-of-concept for CVE-2025-62221, a temporal memory inconsistency issue in Windows cldflt.sys. The release publicly exposed exploit-related technical details for the vulnerability after Microsoft had patched it in December 2025.
In December 2025, Microsoft fixed another privilege escalation flaw in the same Cloud Files component, CVE-2025-62221. The company said the bug had been exploited by unknown threat actors.
Microsoft reportedly patched the cldflt.sys privilege escalation vulnerability in December 2020 under CVE-2020-17103. Later reporting suggests the fix may have been incomplete or may have regressed.
Google Project Zero researcher James Forshaw reported a local privilege escalation flaw in the Windows Cloud Files Mini Filter Driver (cldflt.sys), specifically involving HsmOsBlockPlaceholderAccess, to Microsoft in September 2020. The issue was later tracked as CVE-2020-17103.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
securelist.ru
Open sourcemalware.news
Open sourcedetect.fyi
Open sourcethecyberthrone.in
Open sourcesecurityaffairs.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcepcworld.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.