A newly demonstrated Windows zero-day vulnerability, dubbed MiniPlasma, has raised serious security concerns after being shown to grant attackers SYSTEM-level privileges even on fully patched machines. The flaw affects a core Windows component and appears to remain unresolved despite earlier mitigation efforts by Microsoft.
Previously Reported Flaw Still Appears Unpatched
The vulnerability was highlighted by security researcher Chaotic Eclipse, who is also known for uncovering other Windows issues such as YellowKey and GreenPlasma. According to the researcher, MiniPlasma resides within the Windows Cloud Files Mini Filter Driver (cldflt.sys), specifically in a function called HsmOsBlockPlaceholderAccess.
Interestingly, the issue was originally reported back in 2020 by James Forshaw of Google Project Zero. At the time, Microsoft addressed a related issue under CVE-2020-17103 in December 2020, suggesting the problem had been resolved.
However, recent analysis indicates that the same underlying vulnerability may still exist in current Windows builds. Chaotic Eclipse stated that despite previous fixes, the behavior associated with the original exploit remains active in modern systems.
Proof-of-Concept Demonstrates SYSTEM Shell Access
To validate the issue, the researcher adapted the original proof-of-concept exploit and demonstrated that it can still be used to escalate privileges and launch a SYSTEM-level command shell.
The exploit appears to function by exploiting a race condition, which may cause inconsistent success rates depending on system timing and load. While reliability can vary, successful executions reportedly grant full administrative control over affected systems.
The researcher also noted uncertainty over whether Microsoft never fully patched the flaw or if a prior fix was unintentionally reversed or rendered ineffective in later updates.
Potentially Broad Impact Across Windows Versions
Security findings suggest that multiple versions of Windows may be affected, including systems that are fully updated with the latest security patches.
Independent confirmation came from security researcher Will Dormann, who reported that the exploit was able to reliably open a SYSTEM-level cmd.exe prompt on Windows 11 systems updated as recently as May 2026. However, he also observed that the exploit does not appear to work on some Windows Insider Canary builds, indicating possible partial remediation in experimental releases.
These observations raise concerns that the vulnerability may still be present in stable Windows branches while being inconsistently addressed across development channels.
Related Security History and Microsoft Response
The cldflt.sys component has previously been a target of security fixes. In December 2025, Microsoft patched another elevation-of-privilege vulnerability in the same driver, tracked as CVE-2025-62221 with a CVSS score of 7.8. That flaw was reportedly exploited in real-world attacks by unknown threat actors before being addressed.
The resurfacing of a similar issue in the same component suggests ongoing security challenges in maintaining the integrity of Windows kernel-level drivers, particularly those handling file system and cloud integration features.
Security Implications
If fully confirmed and actively exploitable in the wild, MiniPlasma represents a high-risk vulnerability due to its ability to:
- Escalate standard user privileges to SYSTEM level
- Potentially bypass modern Windows security protections
- Impact fully patched enterprise and consumer systems
- Enable persistent malware deployment once exploited
Security experts caution that kernel-level privilege escalation flaws are especially dangerous because they can be chained with other exploits to achieve full system compromise.
Conclusion
The discovery of MiniPlasma underscores persistent challenges in securing deeply embedded Windows components. While Microsoft previously addressed related issues, evidence suggests that at least some aspects of the vulnerability may still remain exposed in current production systems.
As investigations continue, security teams are advised to closely monitor updates from Microsoft and apply any forthcoming patches immediately once released.
