INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Chaotic Eclipse Exploit MiniPlasma Zero-Day

| 2026-05-18 08:13 CRITICAL HIGH
JSON
Executive Summary AI-generated
The latest incident data reveals a critical vulnerability in Windows, dubbed MiniPlasma. This zero-day exploit can grant attackers SYSTEM privileges on fully patched systems, compromising the security of millions of users worldwide. The flaw affects "cldflt.sys," a key component of the Cloud Files Mini Filter Driver, and is linked to a 2020 Microsoft security fix that was allegedly missed or undone. Experts have confirmed the vulnerability through proof-of-concept exploits for both MiniPlasma and GreenPlasma, two previously undisclosed Windows privilege escalation zero-days. The issue has sparked concerns about delayed updates and potential patch failures, with some researchers questioning whether the latest Insider Preview Canary build addresses it.
Technical Mitigations AI-generated
* Implement a patching schedule: Regularly update and patch Windows systems to ensure that any known vulnerabilities are addressed before they can be exploited. * Use secure coding practices: Implement secure coding practices, such as input validation and sanitization, to prevent exploitation of zero-day vulnerabilities like MiniPlasma. * Monitor system logs for suspicious activity: Continuously monitor system logs for signs of malicious activity, including attempts to spawn SYSTEM shells or execute arbitrary code. * Implement a sandboxing mechanism: Use sandboxes or virtual machines to isolate sensitive systems and applications from potential exploits, reducing the risk of successful attacks. * Regularly review patch notes and update history: Carefully review patch notes and update histories for any known vulnerabilities that have been patched in previous versions of Windows.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-33825CVE-2026-33825 CVE-2020-17103CVE-2020-17103 CVE-2025-62221CVE-2025-62221
Target & Sectors
Global Scope
Incident Timeline
‎2020/05/19
Threat actors exploited a previously unknown vulnerability in GreenPlasma's MiniPlasma Windows zero-day exploit.
organisation GreenPlasma
“After re-investigating the technique used in GreenPlasma (specifically SetPolicyVal), it turns out cldflt!HsmOsBlockPlaceholderAccess is still vulnerable to the exact same issue that was reported to Microsoft 6 years ago.
‎September 2020
Threat actors exploited a previously unknown vulnerability in the Cloud Filter driver, cldflt.sys.
organisation Google Project Zero
Google Project Zero researcher James Forshaw originally reported the vulnerability to Microsoft in September 2020.
It was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
According to the researcher, the flaw impacts the ' cldflt.sys ' Cloud Filter driver and its ' HsmOsBlockPlaceholderAccess ' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
organisation Microsoft
Google Project Zero researcher James Forshaw originally reported the vulnerability to Microsoft in September 2020.
It was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
observable cldflt.sys
According to the researcher, the flaw impacts the ' cldflt.sys ' Cloud Filter driver and its ' HsmOsBlockPlaceholderAccess ' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
‎December 2020
Threat actors used a previously reported vulnerability to target the Chaotic Eclipse platform.
vulnerability CVE-2020-17103
Although it was assumed that the shortcoming was fixed by Microsoft in December 2020 as part of CVE-2020-17103 , Chaotic Eclipse said further investigation has uncovered that the "exact same issue [...] is actually still present, unpatched.
At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020.
organisation Chaotic Eclipse
Although it was assumed that the shortcoming was fixed by Microsoft in December 2020 as part of CVE-2020-17103 , Chaotic Eclipse said further investigation has uncovered that the "exact same issue [...] is actually still present, unpatched.
organisation Microsoft Patch
While Microsoft reports having fixed the bug as part of its December 2020 Microsoft Patch Tuesday , Chaotic Eclipse now claims the vulnerability can still be exploited.
‎December 2025
Threat actors exploited a privilege escalation flaw in the same component.
tactic Privilege Escalation
In December 2025, Microsoft also addressed another privilege escalation flaw in the same component ( CVE-2025-62221 , CVSS score: 7.8), which it identified as exploited by unknown threat actors.
vulnerability CVE-2025-62221
In December 2025, Microsoft also addressed another privilege escalation flaw in the same component ( CVE-2025-62221 , CVSS score: 7.8), which it identified as exploited by unknown threat actors.
organisation CVSS
In December 2025, Microsoft also addressed another privilege escalation flaw in the same component ( CVE-2025-62221 , CVSS score: 7.8), which it identified as exploited by unknown threat actors.
general_metric 7.8 same component
In December 2025, Microsoft also addressed another privilege escalation flaw in the same component ( CVE-2025-62221 , CVSS score: 7.8), which it identified as exploited by unknown threat actors.
‎April 10
Attackers began using BlueHammer on April 10.
‎April 16
Attackers began using BlueHammer on April 10, then moved to the proof-of-concept code for RedSun and UnDefend.
‎2022/2026
Threat actors exploited a zero-day vulnerability in the Windows Collaborative Translation Framework, enabling privilege escalation on vulnerable versions of Windows.
tactic Privilege Escalation
The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM.
infrastructure Windows
The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM.
general_metric 11 patched Windows
The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM.
organisation the Windows Collaborative Translation Framework
The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM.
organisation CTFMON
The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM.
tactic T1584.004 - Server
The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM.
‎2022/2025
Threat actors exploited a previously unknown vulnerability in Windows 11 and Server 2022/2025 systems to gain access to locked drives protected by TPM-only BitLocker configurations.
infrastructure Windows
YellowKey is a BitLocker bypass issue that affects Windows 11 and Windows Server 2022/2025 systems.
Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.
What is known is that the flaw works, that it affects Windows 11 and Server 2022/2025, and that Windows 10 is not affected, a distinction that itself raises questions without obvious answers.
YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.
general_metric 11 patched Windows
YellowKey is a BitLocker bypass issue that affects Windows 11 and Windows Server 2022/2025 systems.
Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.
What is known is that the flaw works, that it affects Windows 11 and Server 2022/2025, and that Windows 10 is not affected, a distinction that itself raises questions without obvious answers.
YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.
tactic T1584.004 - Server
YellowKey is a BitLocker bypass issue that affects Windows 11 and Windows Server 2022/2025 systems.
Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.
What is known is that the flaw works, that it affects Windows 11 and Server 2022/2025, and that Windows 10 is not affected, a distinction that itself raises questions without obvious answers.
YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.
organisation BitLocker
YellowKey is a BitLocker bypass issue that affects Windows 11 and Windows Server 2022/2025 systems.
YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.
infrastructure 10 Server
Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.
general_metric 10 Windows
What is known is that the flaw works, that it affects Windows 11 and Server 2022/2025, and that Windows 10 is not affected, a distinction that itself raises questions without obvious answers.
‎May 18, 2026 Zero Day
Chaotic Eclipse released a proof-of-concept exploit for a Windows zero-day vulnerability that grants attackers SYSTEM privileges on fully patched systems.
tactic Privilege Escalation
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems.  Ravie Lakshmanan  May 18, 2026 Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
infrastructure Windows
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems.  Ravie Lakshmanan  May 18, 2026 Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
organisation GreenPlasma
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems.  Ravie Lakshmanan  May 18, 2026 Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
organisation YellowKey
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems.  Ravie Lakshmanan  May 18, 2026 Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
organisation PoC
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems.  Ravie Lakshmanan  May 18, 2026 Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
general_metric 0 Day
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems.  Ravie Lakshmanan  May 18, 2026 Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
‎May 18, 2026
Threat actors exploited a previously unknown vulnerability in MiniPlasma Windows to gain unauthorized access.
‎2026/05/18
The exploit works in the latest public version of Windows 11.
infrastructure Windows
Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix MiniPlasma: a Windows SYSTEM privilege escalation believed patched in 2020 (CVE-2020-17103) is still fully working on every patched Windows 11.
Once again, security researcher Chaotic Eclipse has released a proof-of-concept exploit for a new Windows privilege escalation zero-day called MiniPlasma, which can grant attackers SYSTEM privileges on fully patched systems.
A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems.
The disclosure spree began in April with BlueHammer , a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun , and a Windows Defender DoS tool, UnDefend .
Chaotic Eclipse’s argument is based on something concrete: Microsoft originally fixed CVE-2020-17103 back in 2020, yet parts of that fix now seem to be missing in newer Windows builds.
Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix.
The flaw affects “cldflt.sys,” the Windows Cloud Files Mini Filter Driver, specifically within the “HsmOsBlockPlaceholderAccess” routine.
I believe all Windows versions are affected by this vulnerability.”
Will Dormann, a popular cybersecurity researcher, independently confirmed the result: MiniPlasma opens a cmd.exe prompt with SYSTEM privileges on Windows 11 running the latest patches.
He noted it does not work on the Insider Preview Canary build, which suggests Microsoft may be addressing it there, but that provides little comfort to the hundreds of millions of users running production Windows 11 builds.
I’ll note that it does not seem to work on the latest Insider Preview Canary Windows 11.” Mysteriously, a patch reportedly confirmed in 2020 appears to have disappeared.
The issue goes beyond delayed updates and raises broader concerns about the reliability and completeness of Windows patch management, leaving organizations questioning whether fully patched systems are truly secure.
In the span of a few weeks, this individual has published working exploit code for five separate Windows vulnerabilities, some previously unknown, some believed to have been patched years ago but apparently still very much alive.
Then came YellowKey and GreenPlasma , two more Windows zero-days disclosed by the same researcher and reported by Security Affairs.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
What makes this flaw particularly unsettling is not just its functionality but also the researcher’s commentary on its origins: the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue.
Even if MiniPlasma is not trivial to exploit consistently, the fact that Windows runs on billions of devices means that any reliable exploit immediately becomes high risk.
Codenamed MiniPlasma , the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver, and resides in a routine named "HsmOsBlockPlaceholderAccess."
The researcher further pointed out that all Windows versions are likely affected by this vulnerability.
"I'll note that it does not seem to work on the latest Insider Preview Canary Windows 11," Dormann pointed out .
New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released.
MiniPlasma exploit successfully gave Windows SYSTEM privileges Source: BleepingComputer Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11.
However, he said that the flaw does not work in the latest Windows 11 Insider Preview Canary build.
The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API.
Researcher behind the recent string of Windows zero-days MiniPlasma is the latest in a string of Windows zero-day disclosures published by the researcher over the past several weeks.
Chaotic Eclipse has previously stated that they are publicly disclosing these Windows zero-days in protest of Microsoft's bug bounty and vulnerability-handling process.
infrastructure 2020 fix MiniPlasma
Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix MiniPlasma: a Windows SYSTEM privilege escalation believed patched in 2020 (CVE-2020-17103) is still fully working on every patched Windows 11.
organisation MiniPlasma
Once again, security researcher Chaotic Eclipse has released a proof-of-concept exploit for a new Windows privilege escalation zero-day called MiniPlasma, which can grant attackers SYSTEM privileges on fully patched systems.
New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released.
organisation Forshaw
Forshaw's original report said that the flaw could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, potentially enabling privilege escalation.
The original proof-of-concept code published by Forshaw worked without modification.
organisation CVE-2026-33825
The disclosure spree began in April with BlueHammer , a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun , and a Windows Defender DoS tool, UnDefend .
organisation BlueHammer
The disclosure spree began in April with BlueHammer , a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun , and a Windows Defender DoS tool, UnDefend .
The first two flaws in the Defender series, BlueHammer, RedSun, and UnDefend , appeared in April.
organisation google
I’m not taking full credit for this, James Forshaw from google project zero found the vulnerability and reported it to Microsoft and was supposedly fixed as  CVE-2020-17103 .”
“After investigating, it turns out the exact same issue that  was reported to Microsoft by Google project zero  is actually still present, unpatched.
The original PoC by Google worked without any changes," the researcher added.
"After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," explains Chaotic Eclipse .
organisation the Insider Preview Canary
He noted it does not work on the Insider Preview Canary build, which suggests Microsoft may be addressing it there, but that provides little comfort to the hundreds of millions of users running production Windows 11 builds.
organisation Insider Preview Canary Windows
I’ll note that it does not seem to work on the latest Insider Preview Canary Windows 11.” Mysteriously, a patch reportedly confirmed in 2020 appears to have disappeared.
organisation YellowKey
Then came YellowKey and GreenPlasma , two more Windows zero-days disclosed by the same researcher and reported by Security Affairs.
This month, the researcher also released two additional exploits named YellowKey and GreenPlasma .
organisation Security Affairs
Then came YellowKey and GreenPlasma , two more Windows zero-days disclosed by the same researcher and reported by Security Affairs.
organisation the Windows Recovery Environment
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
organisation WinRE
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
organisation Insider Preview Canary Windows 11
"I'll note that it does not seem to work on the latest Insider Preview Canary Windows 11," Dormann pointed out .
organisation PoC
New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released.
organisation Tharros
MiniPlasma exploit successfully gave Windows SYSTEM privileges Source: BleepingComputer Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11.
organisation API
The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API.
organisation GreenPlasma
This month, the researcher also released two additional exploits named YellowKey and GreenPlasma .
organisation Microsoft
The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability.
organisation GitHub
The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability.
There is a GitHub profile called Nightmare-Eclipse.
organisation Nightmare
The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability.
They operate under a pseudonym, maintain a GitHub repository under the handle Nightmare-Eclipse, and communicate through a blog and occasional social media posts.
organisation Nightmare-Eclipse
“New from Nightmare-Eclipse, we have MiniPlasma
organisation RedSun
The first two flaws in the Defender series, BlueHammer, RedSun, and UnDefend , appeared in April.
According to the researcher , Microsoft silently patched the RedSun issue without assigning it a CVE identifier.
organisation Microsoft Defender
BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender.
organisation Huntress
Within days of the public release, Huntress researchers observed real-world exploitation of all three.
organisation USB
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
organisation EFI
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, MiniPlasma)
‎May 2026
Threat actors used a previously unknown vulnerability in fully patched Windows 11 systems running the latest May 2026 updates to target and exploit cmd.exe with SYSTEM privileges.
infrastructure Windows
In a post shared on Mastodon, security researcher Will Dormann said MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates.
" BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates.
general_metric 11 patched Windows
In a post shared on Mastodon, security researcher Will Dormann said MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates.
" BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates.
organisation MiniPlasma
In a post shared on Mastodon, security researcher Will Dormann said MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates.
observable cmd.exe
In a post shared on Mastodon, security researcher Will Dormann said MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates.
organisation Mastodon
In a post shared on Mastodon, security researcher Will Dormann said MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates.
organisation BleepingComputer
" BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates.
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix MiniPlasma: a Windows SYSTEM privilege escalation believed patched in 2020 (CVE-2020-17103) is still fully working on every patched Windows 11.
Once again, security researcher Chaotic Eclipse has released a proof-of-concept exploit for a new Windows privilege escalation zero-day called MiniPlasma, which can grant attackers SYSTEM privileges on fully patched systems.
The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM.
Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix.
The flaw affects “cldflt.sys,” the Windows Cloud Files Mini Filter Driver, specifically within the “HsmOsBlockPlaceholderAccess” routine.
I believe all Windows versions are affected by this vulnerability.”
Will Dormann, a popular cybersecurity researcher, independently confirmed the result: MiniPlasma opens a cmd.exe prompt with SYSTEM privileges on Windows 11 running the latest patches.
He noted it does not work on the Insider Preview Canary build, which suggests Microsoft may be addressing it there, but that provides little comfort to the hundreds of millions of users running production Windows 11 builds.
I’ll note that it does not seem to work on the latest Insider Preview Canary Windows 11.” Mysteriously, a patch reportedly confirmed in 2020 appears to have disappeared.
The issue goes beyond delayed updates and raises broader concerns about the reliability and completeness of Windows patch management, leaving organizations questioning whether fully patched systems are truly secure.
In the span of a few weeks, this individual has published working exploit code for five separate Windows vulnerabilities, some previously unknown, some believed to have been patched years ago but apparently still very much alive.
Then came YellowKey and GreenPlasma , two more Windows zero-days disclosed by the same researcher and reported by Security Affairs.
YellowKey is a BitLocker bypass issue that affects Windows 11 and Windows Server 2022/2025 systems.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
What makes this flaw particularly unsettling is not just its functionality but also the researcher’s commentary on its origins: the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue.
Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.
What is known is that the flaw works, that it affects Windows 11 and Server 2022/2025, and that Windows 10 is not affected, a distinction that itself raises questions without obvious answers.
Chaotic Eclipse’s argument is based on something concrete: Microsoft originally fixed CVE-2020-17103 back in 2020, yet parts of that fix now seem to be missing in newer Windows builds.
Even if MiniPlasma is not trivial to exploit consistently, the fact that Windows runs on billions of devices means that any reliable exploit immediately becomes high risk.
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems.  Ravie Lakshmanan  May 18, 2026 Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
Codenamed MiniPlasma , the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver, and resides in a routine named "HsmOsBlockPlaceholderAccess."
The researcher further pointed out that all Windows versions are likely affected by this vulnerability.
In a post shared on Mastodon, security researcher Will Dormann said MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates.
"I'll note that it does not seem to work on the latest Insider Preview Canary Windows 11," Dormann pointed out .
A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems.
The disclosure spree began in April with BlueHammer , a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun , and a Windows Defender DoS tool, UnDefend .
New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released.
" BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates.
MiniPlasma exploit successfully gave Windows SYSTEM privileges Source: BleepingComputer Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11.
However, he said that the flaw does not work in the latest Windows 11 Insider Preview Canary build.
The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API.
Researcher behind the recent string of Windows zero-days MiniPlasma is the latest in a string of Windows zero-day disclosures published by the researcher over the past several weeks.
YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.
Chaotic Eclipse has previously stated that they are publicly disclosing these Windows zero-days in protest of Microsoft's bug bounty and vulnerability-handling process.
Metrics
infrastructure
2,020
Fix Miniplasma
Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix MiniPlasma: a Windows SYSTEM privilege escalation believed patched in 2020 (CVE-2020-17103) is still fully working on every patched Windows 11.
Metrics
infrastructure
10
Server
Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.
Intelligence Sources
The Hacker News 2026-05-18
BleepingComputer 2026-05-17
Security Affairs 2026-05-18