MiniPlasma zero-day – A researcher released a proof-of-concept for “MiniPlasma,” a Windows privilege escalation zero-day that claims to grant SYSTEM privileges even on fully patched systems. The PoC and source code were posted to GitHub, and testing on Windows 11 Pro with the lates
Agents typically don’t need a key to get into the Windows kernel—until a proof-of-concept shows they might already have one.. A cybersecurity researcher has now published “MiniPlasma. ” a Windows privilege escalation zero-day that claims to let attackers obtain SYSTEM privileges on fully patched systems. along with source code and a compiled executable.
The exploit was released by a researcher known as Chaotic Eclipse. also referred to as Nightmare Eclipse. who posted the materials on GitHub after saying Microsoft failed to properly patch a vulnerability originally reported in 2020.. Chaotic Eclipse said the flaw targets the Windows Cloud Filter driver component ‘cldflt.sys’ and specifically a routine called ‘HsmOsBlockPlaceholderAccess’.
The vulnerability traces back to reporting by Google Project Zero researcher James Forshaw in September 2020.. At the time. the issue was assigned CVE-2020-17103 and was reportedly fixed in December 2020—yet Chaotic Eclipse says the “exact same issue” remains present.. “After investigating. it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present. unpatched. ” Chaotic Eclipse explained.. The researcher added: “I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons.. The original PoC by Google worked without any changes.”
Testing carried out by BleepingComputer on a fully patched Windows 11 Pro system with the latest May 2026 Patch Tuesday updates reportedly showed the exploit working from a standard user account.. After running the MiniPlasma exploit. it opened a command prompt with SYSTEM privileges. according to the demonstration shown with the report.
Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit functions on the latest public version of Windows 11. However, Dormann said the flaw does not work on the latest Windows 11 Insider Preview Canary build.
MiniPlasma appears to rely on how the Windows Cloud Filter driver handles registry key creation via an undocumented CfAbortHydration API.. Forshaw’s original report said the flaw could enable arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks—an angle tied directly to the ability to escalate privileges.
Chaotic Eclipse’s central claim creates a clear tension with Microsoft’s prior actions: Microsoft reports having fixed the bug as part of its December 2020 Microsoft Patch Tuesday, while the researcher now argues the vulnerability is still exploitable.
In one thread. the named 2020 reporting and the 2020 tracking details sit beside the new claim of an “exact same issue” still being unpatched. and the testing results follow that argument—public Windows 11 versions show SYSTEM-level results after running the PoC. while the latest Insider Canary build breaks the same path.
BleepingComputer reached out to Microsoft about this additional zero-day and said it would update if it receives a response.
The MiniPlasma release is also part of a broader sequence of Windows zero-day disclosures.. Over the past several weeks. Chaotic Eclipse has published a string that began in April with BlueHammer. a Windows local privilege escalation flaw tracked as CVE-2026-33825.. That was followed by another privilege escalation vulnerability, RedSun, and a Windows Defender denial-of-service tool, UnDefend.
After disclosure, all three were reportedly spotted being exploited in attacks. Chaotic Eclipse says Microsoft silently patched the RedSun issue without assigning it a CVE identifier.
This month, the researcher released two additional exploits: YellowKey and GreenPlasma.. YellowKey is described as a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025. spawning a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.. GreenPlasma is named alongside these releases but, in the provided report, additional details weren’t included.
In explaining the motivation behind publicly disclosing these Windows zero-days. Chaotic Eclipse said the disclosures were made in protest of Microsoft’s bug bounty and vulnerability-handling process.. The researcher alleged that Microsoft responded in ways that made the work—and its consequences—feel personal: “Normally. I would go through the process of begging them to fix a bug but to summarize. I was told personally by them that they will ruin my life and they did and I’m
not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me. they took away everything. ” the researcher claimed.. “They mopped the floor with me and pulled every childish game they could.. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just
having fun seeing me suffer but it seems to be a collective decision.”
Microsoft previously told BleepingComputer that it supports coordinated vulnerability disclosure and is committed to investigating reported security issues and protecting customers through updates.
MiniPlasma Windows zero-day SYSTEM privileges privilege escalation cldflt.sys HsmOsBlockPlaceholderAccess CfAbortHydration GitHub proof-of-concept CVE-2020-17103 Chaotic Eclipse Nightmare Eclipse Tharros Will Dormann BlueHammer RedSun UnDefend YellowKey GreenPlasma BitLocker bypass Windows Defender DoS Patch Tuesday