MiniPlasma Zero-Day Exploit Allegedly Gives SYSTEM Access on Fully Patched Windows 11

A security researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day called MiniPlasma, raising fresh concerns about the security of fully patched Windows systems.

According to reports highlighted by Bleeping Computer, the exploit allegedly allows attackers to gain SYSTEM privileges on Windows devices by abusing a flaw inside the Windows Cloud Filter driver, cldflt.sys.

The researcher behind the release, known online as Chaotic Eclipse or Nightmare Eclipse, published both the exploit source code and a compiled executable publicly on GitHub. The release quickly attracted attention because the vulnerability appears connected to an older flaw Microsoft previously claimed to have fixed.

Vulnerability tied to older Windows flaw

The issue reportedly affects the HsmOsBlockPlaceholderAccess routine inside the Windows Cloud Filter driver.

Chaotic Eclipse claims the vulnerability remains exploitable even on fully updated Windows systems. The flaw appears linked to a vulnerability originally reported by Google Project Zero researcher James Forshaw in September 2020.

That earlier issue became tracked as CVE-2020-17103, and Microsoft said it fixed the bug in December 2020. However, the newly released MiniPlasma proof-of-concept suggests the vulnerability may still exist in some form.

Researcher says original exploit still works

Chaotic Eclipse claims the original Google Project Zero proof-of-concept continues to work without modifications years later.

The researcher said it remains unclear whether Microsoft’s original patch never fully resolved the flaw or whether a later update accidentally reintroduced the vulnerable behavior.

The exploit allegedly abuses how the Cloud Filter driver handles registry key creation through the undocumented CfAbortHydration API.

Forshaw’s original research claimed attackers could create arbitrary registry keys inside the .DEFAULT user hive without proper access checks. That behavior could potentially allow local attackers to escalate privileges to SYSTEM level.

Security researchers confirm exploit behavior

Vulnerability analyst Will Dormann reportedly tested the exploit and confirmed it works on the latest public Windows 11 release.

Interestingly, reports suggest the exploit does not work on the newest Windows 11 Insider Preview Canary builds. That detail has sparked speculation that Microsoft may already have an internal fix in testing.

Microsoft has not publicly responded to the latest claims surrounding MiniPlasma at the time of writing.

Windows privilege escalation exploits continue surfacing

The MiniPlasma disclosure arrives during a period of increased attention around Windows privilege escalation flaws and bypass techniques.

Recent cybersecurity reports covered BitLocker bypass tools, the YellowKey exploit, the GreenPlasma exploit, and allegations that Microsoft silently patched an Azure Backup for AKS vulnerability without issuing a public CVE.

The continued appearance of kernel-level privilege escalation research highlights how attackers and researchers remain heavily focused on core Windows system components and driver behavior.