Full Report
A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems. [...]
Analysis Summary
# Vulnerability: MiniPlasma Windows Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2020-17103 (Original identifier; currently utilized as a zero-day due to a regression or failed patch)
- **CVSS Score:** 7.8 (High) - *Based on original CVE-2020-17103 rating*
- **CWE:** CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Windows 10, Windows 11 (including Pro), and Windows Server (specific versions consistent with 2020-2026 releases). Confirmed working on May 2026 updates.
- **Configurations:** Systems utilizing the Cloud Filter driver (`cldflt.sys`). Note: The latest Windows 11 Insider Preview Canary build appears unaffected.
## Vulnerability Description
MiniPlasma is a local privilege escalation (LPE) vulnerability residing in the Windows Cloud Filter driver (`cldflt.sys`). Specifically, the flaw exists within the `HsmOsBlockPlaceholderAccess` routine. The vulnerability involves the abuse of the undocumented `CfAbortHydration` API, which allows a user to trigger the creation of arbitrary registry keys in the `.DEFAULT` user hive without proper access checks. By manipulating these registry keys, a local attacker with standard user privileges can execute code with SYSTEM-level authority.
## Exploitation
- **Status:** PoC available (Source code and executable released on GitHub); reported as exploited in the wild.
- **Complexity:** Low
- **Attack Vector:** Local
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system files and configurations)
- **Availability:** High (Ability to disable security features or crash the system)
## Remediation
### Patches
- **Official Patch:** As of May 17, 2026, there is no official patch for this specific re-emergence (zero-day status). While Microsoft released a fix for CVE-2020-17103 in December 2020, researchers have confirmed this patch is either missing or bypassed in current "fully patched" versions.
### Workarounds
- **Insider Preview:** Preliminary testing suggests that moving to the Windows 11 Insider Preview (Canary build) may mitigate the issue, though this is not recommended for production environments.
- **Restrict Local Access:** Since this is a Local Privilege Escalation flaw, strictly limiting physical and remote desktop access to trusted users is critical.
## Detection
- **Indicators of Compromise:**
- Unexpected creation or modification of registry keys within the `HKEY_USERS\.DEFAULT` hive.
- Identification of the `MiniPlasma` executable or similar unauthorized binaries performing API calls to `cldflt.sys`.
- **Detection Methods and Tools:**
- Monitor for unusual child processes spawned by standard user accounts that suddenly possess `NT AUTHORITY\SYSTEM` privileges.
- Use EDR/SIEM to flag calls to the undocumented `CfAbortHydration` API.
## References
- Microsoft Security Response Center (CVE-2020-17103): hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2020-17103
- Google Project Zero Original Report: hxxps[://]project-zero[.]issues[.]chromium[.]org/issues/42451192
- BleepingComputer Article: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/
- Researcher GitHub (Nightmare Eclipse): hxxps[://]github[.]com/Nightmare-Eclipse