A security researcher has published a working exploit for a previously unpatched Windows privilege escalation flaw called “MiniPlasma.” This exploit allows attackers to gain full SYSTEM-level access on Windows systems that are completely up to date with the latest security patches.
The exploit was shared by a researcher who goes by the name Chaotic Eclipse, also known as Nightmare Eclipse. They uploaded both the source code and a pre-compiled version on GitHub. The researcher claims Microsoft did not properly fix a vulnerability that was originally reported back in 2020.
According to the researcher, the weakness lies in the ‘cldflt.sys‘ Cloud Filter driver and a specific function within it called ‘HsmOsBlockPlaceholderAccess‘. This flaw was first reported to Microsoft in September 2020 by James Forshaw, a researcher at Google Project Zero.
At the time, Microsoft assigned it the identifier CVE-2020-17103 and reportedly released a fix in December 2020.
“After digging into it, the exact same problem Google Project Zero reported to Microsoft is actually still there, unfixed,” explained Chaotic Eclipse.
“I’m not sure if Microsoft simply never patched it correctly or if the fix was quietly undone at some point for unknown reasons. The original proof-of-concept from Google worked straight away without any modifications.”
BleepingComputer tested the exploit on a fully updated Windows 11 Pro system with the May 2026 Patch Tuesday updates applied. In their test, using a regular, non-administrator account, running the exploit opened a command prompt running with full SYSTEM-level access, as shown below.
Source: BleepingComputer
Will Dormann, a principal vulnerability analyst at Tharros, also verified that the exploit functions on the current public release of Windows 11. However, he noted that it does not appear to work on the newest Windows 11 Insider Preview Canary version.
The exploit appears to take advantage of how the Windows Cloud Filter driver processes registry key creation through an undocumented API called CfAbortHydration. Forshaw’s initial report described how this flaw could allow arbitrary registry keys to be created within the .DEFAULT user hive without proper access validation, which could potentially be leveraged for privilege escalation.
Although Microsoft says the bug was fixed during its December 2020 Patch Tuesday, Chaotic Eclipse contends the vulnerability remains exploitable today.
BleepingComputer reached out to Microsoft for comment on this newly disclosed zero-day and will update this article when a response is received.
Who is behind the recent wave of Windows zero-day disclosures?
“MiniPlasma” is the latest in a series of Windows zero-day vulnerabilities published by this researcher in recent weeks.
The series of disclosures started in April with BlueHammer, a local privilege escalation flaw tracked as CVE-2026-33825. This was followed by RedSun, another privilege escalation weakness, and UnDefend, a tool that can trigger a Windows Defender denial-of-service.
After being made public, all three were observed being actively used in real-world attacks. According to the researcher, Microsoft silently fixed the RedSun issue without assigning it an official CVE number.
This month, the researcher also made two additional exploits public: YellowKey and GreenPlasma.
YellowKey is a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025. It opens a command shell that provides access to drives protected by BitLocker configurations that rely solely on TPM without additional authentication.
Chaotic Eclipse has stated that they are publicly releasing these Windows zero-days as a form of protest against Microsoft’s bug bounty program and how the company handles reported vulnerabilities.
“Normally, I would go through the usual steps of pleading with them to fix a bug. But to sum it up, they personally told me they would ruin my life, and they followed through. I don’t know if I was the only one who had this awful experience, or if others went through it too, but I think most people would just accept it and move on. They took everything from me,” the researcher claimed.
“They did everything they could to make things worse. At one point, I couldn’t tell if I was dealing with a huge corporation or someone just enjoying watching me suffer. It felt like a deliberate group effort.”
Microsoft previously told BleepingComputer that it supports coordinated vulnerability disclosure and is dedicated to investigating reported security issues and protecting customers through regular updates.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Download Now
