Windows 11 Under Siege: The MiniPlasma Zero-Day Unlocks SYSTEM Privileges
Chaotic Eclipse has published on GitHub the source code and precompiled executable of a local zero-day exploit for Windows, dubbed MiniPlasma. The vulnerability allows a malicious local user to elevate their privileges to the SYSTEM level on fully updated machines, gaining complete control of the operating system. The problem lies directly in the Cloud Filter driver (cldflt.sys) and specifically in its HsmOsBlockPlaceholderAccess routine.
This discovery brings back a historical ghost for Redmond's security. It is the very same defect originally reported in September 2020 by Google Project Zero researcher James Forshaw. At the time tracked as CVE-2020-17103, the flaw was declared resolved by Microsoft with the December 2020 Patch Tuesday. Current verifications contradict the official bulletins: the researcher has confirmed that the original proof-of-concept from Google works even today without any modification, suggesting that Microsoft never applied an effective patch or quietly removed it later for unknown reasons.
Independent tests conducted on updated Windows 11 Pro with May 2026 patches confirm the severity of the situation. Running the exploit from a standard user profile, devoid of administrative permissions, immediately opens a command shell with SYSTEM privileges. Will Dormann, an analyst at Tharros, specifically validated the effectiveness of the code on public builds of Windows 11, noting a single exception: the attack fails on builds of the Insider Preview Canary channel, a detail that suggests the presence of an internal corrective patch already in testing in Microsoft's laboratories.
Technically, MiniPlasma exploits the mechanisms by which the driver manages the creation of registry keys through the undocumented CfAbortHydration API. This manipulation allows arbitrary keys to be generated within the user hive .DEFAULT, bypassing Windows' normal access controls.
MiniPlasma represents the latest chapter of a massive uncoordinated disclosure campaign initiated by the researcher in recent weeks. The sequence began in April with BlueHammer (CVE-2026-33825), followed by RedSun (actively exploited in attacks and then quietly patched by Microsoft without assigning a CVE identifier) and the Denial of Service tool UnDefend for Windows Defender. In May, GreenPlasma and YellowKey were added, a tool capable of bypassing BitLocker on Windows 11 and Windows Server 2022/2025 by opening a command shell on drives protected by TPM-only configurations.
The decision to publicly release kernel-level exploits stems from a tough dispute between the researcher and the Redmond giant. Chaotic Eclipse declared a desire to protest against Microsoft's bug bounty program and threat management processes, accusing the company of conducting exhausting personal reprisals after its reports.