News, Technology

Windows MiniPlasma Zero-Day Returns a 2020 Bug as a SYSTEM Exploit

Ishan Crawford0 Comments16 Mins Read

A working proof-of-concept exploit that hands attackers SYSTEM-level privileges on fully patched Windows 11 has been live on GitHub since May 13. Within five days the repository pulled in more than 440 stars, and an independent vulnerability analyst confirmed the code spawns a SYSTEM shell on machines running the May 2026 cumulative update.

The strange part: the underlying flaw was supposed to have been fixed in December 2020. The Cloud Filter driver bug Microsoft assigned CVE-2020-17103 (Common Vulnerabilities and Exposures, the public identifier registry for security flaws) is the same flaw the new exploit, named MiniPlasma, weaponizes today, raising the question of whether the original patch ever shipped or was silently rolled back.

What Forshaw Found, What Eclipse Re-Found

James Forshaw, a researcher with Google Project Zero, filed the original bug report against the Windows Cloud Filter driver, cldflt.sys, in September 2020. His write-up walked through a race condition in the HsmOsBlockPlaceholderAccess routine that let an unprivileged process write arbitrary keys into the .DEFAULT user registry hive. Microsoft pushed a fix during the December 2020 Patch Tuesday cycle, closed the case, and the vulnerability disappeared from the public conversation for almost six years.

It came back on May 13. A researcher operating under the handle Nightmare-Eclipse (also called Chaotic Eclipse in some posts) published a fresh proof-of-concept dubbed MiniPlasma on the MiniPlasma GitHub repository. The pitch in the README is blunt: the same code path Forshaw demonstrated in 2020 still works on Windows 11 with the May 2026 updates installed.

Disclosure window September 2020 May 2026
Researcher James Forshaw, Google Project Zero Nightmare-Eclipse, independent
Vulnerable component cldflt.sys, HsmOsBlockPlaceholderAccess cldflt.sys, HsmOsBlockPlaceholderAccess
CVSS rating 7.0 High Same code path, same impact
Microsoft response Patch shipped December 2020 No public statement at press time
Public exploit Project Zero PoC, embargoed at first Compiled binary on GitHub, 440+ stars
Windows MiniPlasma zero-day exploit grants SYSTEM access on patched Windows 11.
Windows MiniPlasma zero-day exploit grants SYSTEM access on patched Windows 11.

Inside the cldflt.sys Race Condition

The Cloud Files Mini Filter Driver sits underneath OneDrive and other on-demand sync clients. When a user opens a placeholder file, the driver decides whether to hydrate the file from the cloud or deny the access. The routine handling the deny path makes a registry call that misses one important safety flag.

The missing flag is OBJ_FORCE_ACCESS_CHECK. Without it, the kernel skips the security check that would normally stop a non-administrative thread from creating keys under the .DEFAULT user hive. That hive belongs to the LocalSystem context, so any key written there inherits a SYSTEM-owned access token.

MiniPlasma turns the missing check into a working escalation by running this sequence:

  • Spawn two threads that ping-pong between user and anonymous tokens, manipulating the kernel’s RtlOpenCurrentUser call.
  • Trigger the cldflt.sys code path that opens the .DEFAULT hive for writing.
  • Win the race so the thread impersonation is reverted at the exact moment the open succeeds.
  • Write a key whose owner is now LocalSystem.
  • Use that key to spawn cmd.exe inside the SYSTEM account.

The author concedes the race is probabilistic. Will Dormann, senior principal vulnerability analyst at Tharros Labs, ran the binary against a freshly updated Windows 11 Pro install and got a SYSTEM prompt on the first try. He also reported, on his public account, that the same binary fails against the Insider Preview Canary build, suggesting a fix is already running in the development branch.

A Six-Year-Old Bug, Patched on Paper

The Forshaw bug had a clean disposition. CVE-2020-17103 was credited, scored, listed in Microsoft Security Response Center advisories, and tied to a December 2020 cumulative update. The NIST National Vulnerability Database entry for the original CVE still flags only the older Windows 10 builds as affected. Treat that record as accurate and the new exploit should not run. Run the new exploit and a Windows 11 Pro machine on the May 2026 build opens a SYSTEM shell.

The author of the new exploit does not claim to know why.

I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons.

That line, posted in the repository README, frames the bigger problem. A code path was supposedly closed off in 2020, fanfare and all, and an attacker can reach the same kernel object today with code that was never updated for the modern build. The five-year regression is what makes this a reckoning rather than a routine disclosure: someone, somewhere inside the Cloud Filter driver’s maintenance history, undid the fix or never landed it.

OneDrive Sits on Every Desktop That Runs This Driver

cldflt.sys is not an optional component. The driver ships with every modern Windows install because it provides the placeholder-file plumbing that OneDrive, the consumer and enterprise sync client bundled with Microsoft 365, depends on. Third-party cloud clients including iCloud for Windows and several enterprise content gateways register against the same filter manager interface, which means the kernel module loads on essentially any Windows endpoint Microsoft ships.

The blast radius is therefore the whole desktop fleet. A standard user, a phishing payload running inside a regular Office worker’s session, or a script kicked off by a compromised browser tab can all reach the vulnerable code path. Once the race is won, the attacker is LocalSystem on that machine, with the run of the registry, the security accounts database, and any saved credential the SYSTEM process can decrypt.

That tilts the threat model from nuisance to staging ground. Initial access brokers, the criminal middlemen who sell footholds to ransomware crews, prize exactly this kind of bug because it bridges the gap between a phished user and a domain-grade compromise. Active Directory environments are especially exposed: a SYSTEM shell on a domain-joined laptop is one mimikatz invocation away from credential material the attacker can replay against a domain controller.

The Calendar the Researcher Picked

The May 17 publication date was not an accident. Microsoft’s monthly security release shipped on May 13, the second Tuesday of the month. By dropping working exploit code four days later, Nightmare-Eclipse maximized the gap before the next scheduled fix. The June Patch Tuesday lands on June 9, leaving organizations with roughly three full weeks of exposure to a public, weaponized escalation before an in-band update can be expected.

Microsoft has shipped out-of-band fixes when the calendar demanded it. The May 2017 WannaCry response and the July 2021 PrintNightmare emergency update both jumped the cycle. Neither happened on the first day of a public PoC, however. Both followed mass exploitation in the wild.

The reporting trail so far is one-sided. SecurityWeek’s request for comment went unanswered at press time, and the Microsoft Security Response Center has issued no advisory tying CVE-2020-17103 to the new behavior. That silence keeps the calendar pressure on defenders. The patch they need either arrives early, or it slots into the routine June bundle.

Mitigation Without a Patch

Endpoint defense teams do not have a Microsoft-blessed workaround, but the driver’s role and the exploit’s mechanics leave several practical levers. The MITRE ATT&CK technique catalog labels this kind of escalation as T1068 Exploitation for Privilege Escalation, with detection guidance pointing at process-token anomalies and unsigned kernel callers.

Useful actions over the next three weeks:

  • Restrict GitHub binaries reaching user shells. The compiled MiniPlasma executable is the path of least resistance for opportunistic attackers; application-control tools (WDAC, AppLocker) and managed browser policy can block the download.
  • Hunt for new keys under the .DEFAULT hive. Sysmon event ID 12 and 13 fire on registry object creation; alert on any non-SYSTEM process registering keys under HKU\.DEFAULT.
  • Watch for anonymous-token impersonation. The exploit’s race relies on RtlOpenCurrentUser flipping under thread impersonation; EDR vendors that surface token-context transitions can score this behavior as high-confidence.
  • Disable OneDrive on machines that do not need it. cldflt.sys is loaded on boot whether or not OneDrive is in use, but stripping the placeholder feature reduces the volume of legitimate driver activity, which makes anomalous calls easier to spot.
  • Pin the Canary fix. Dormann’s note that the Insider Preview Canary build resists the exploit is a useful signal; security teams running Insider rings should preserve those samples for IR baselining.

If Microsoft jumps the cycle and ships an out-of-band Cloud Filter driver update before June 9, the story closes quickly and the lesson is internal: a regression survived six years of build automation. If June 9 comes and the bundle arrives without a CVE-2020-17103 follow-up, defenders are running compensating controls into July, and the question of how a closed 2020 ticket reopened in 2026 becomes the actual story.

By Ishan Crawford

Prior to the position, Ishan was senior vice president, strategy & development for Cumbernauld-media Company since April 2013. He joined the Company in 2004 and has served in several corporate developments, business development and strategic planning roles for three chief executives. During that time, he helped transform the Company from a traditional U.S. media conglomerate into a global digital subscription service, unified by the journalism and brand of Cumbernauld-media.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts