“MiniPlasma” Zero-Day Weaponizes Supposedly Patched Windows Driver for Easy SYSTEM Root
Do Son 
Security researchers have unearthed a novel exploitation vector within Windows that facilitates an unhindered elevation of privileges to the SYSTEM echelon, achieving efficacy even on comprehensively updated deployments. An analyst operating under the pseudonym Chaotic Eclipse, alternatively recognized as Nightmare Eclipse, has published both the source code and a compiled binary executable on GitHub for an exploit dubbed MiniPlasma, which weaponizes an architectural deficit within the Cloud Filter hardware driver.
According to the researcher’s documentation, the vulnerability resides within the cldflt.sys driver, specifically undermining the HsmOsBlockPlaceholderAccess routine. This identical systemic anomaly was initially articulated in September 2020 by Google Project Zero researcher James Forshaw. Microsoft subsequently cataloged the defect under the identifier CVE-2020-17103, declaring it thoroughly remediated within their December 2020 cumulative patch cycle.
Nevertheless, Chaotic Eclipse maintains that the flaw persists unabated within contemporary Windows environments. The researcher demonstrated that the legacy Proof-of-Concept (PoC) exploit originally synthesized by Google Project Zero executed successfully without any structural alterations, implying that Microsoft either failed to implement an effective regression safeguard or inadvertently revoked the security patch during subsequent engineering cycles.
Empirical validation of MiniPlasma was conducted on a fully updated instance of Windows 11 Pro maintaining the May 2026 security patch definitions. Initiated from a standard, unprivileged user environment, the exploit successfully spawned an interactive command terminal endowed with absolute SYSTEM authority. Will Dormann, a prominent vulnerability analyst at Tharros, independently verified the operational viability of the exploit against the latest public release of Windows 11, though he noted that the exploitation routine fails to reproduce within the nascent Windows 11 Canary Insider preview branches.
Forensic analysis indicates that MiniPlasma abuses the methodology by which the Windows Cloud Filter driver orchestrates the instantiation of registry keys via the undocumented CfAbortHydration programmatic API. The foundational Google Project Zero brief elucidated that the defect permits the creation of arbitrary registry entries within the highly privileged .DEFAULT hive without enforcing mandatory access control validations. When successfully navigated, this validation deficit surrenders an unhindered pathway toward absolute privilege escalation.
MiniPlasma represents the latest addition to a rapid succession of Windows exploits promulgated by Chaotic Eclipse over recent weeks. In April, the researcher disclosed BlueHammer, a local privilege escalation vector tracking as CVE-2026-33825, followed by RedSun, a corollary privilege elevation defect, and UnDefend—a specialized utility designed to orchestrate a localized Denial of Service (DoS) against Microsoft Defender. Following their public exposure, all three toolkits were immediately observed being weaponized within active adversarial campaigns. The researcher asserts that Microsoft silently patched the RedSun vulnerability while withholding a formal CVE designation.
In May, Chaotic Eclipse expanded his offensive portfolio with the releases of YellowKey and GreenPlasma. YellowKey is characterized as a structural bypass of BitLocker encryption spanning Windows 11 and Windows Server 2022/2025. The tool invokes a command shell that unlocks unhindered visibility into encrypted volumes, provided the underlying BitLocker configuration relies exclusively on a Trusted Platform Module (TPM) protector absent secondary multi-factor authentication.
Chaotic Eclipse attributes these unilateral public disclosures to an escalating conflict with Microsoft, citing deep dissatisfaction with the technology giant’s bug bounty infrastructure and vulnerability triage protocols. Microsoft has historically maintained that it champions coordinated vulnerability disclosure models, aggressively reviewing telemetry reports to protect its consumer base through synchronized update deployments.
Donate