MiniPlasma Windows 11 Zero-Day Reportedly Grants SYSTEM Access on Fully Patched PCs
A newly released Windows privilege escalation exploit is raising concern across the security community after researchers confirmed it can grant SYSTEM-level access on fully updated Windows 11 systems.
The exploit, called MiniPlasma, was published by a researcher using the name Chaotic Eclipse. According to independent testing, the flaw can be triggered from a standard user account and used to open a command prompt with SYSTEM privileges, the highest level of access on Windows. That means an attacker who already has limited access to a device could potentially take full control of the machine.
What makes MiniPlasma especially notable is that it reportedly works on Windows 11 systems with the latest May 2026 security updates installed. Testing on a clean Windows 11 Pro installation confirmed the exploit’s effectiveness, and security researcher Will Dormann of Tharros also verified the behavior independently.
The vulnerability is tied to the Windows Cloud Filter driver, known as cldflt.sys. More specifically, the issue involves a routine called HsmOsBlockPlaceholderAccess. This component is part of the Windows system used to manage cloud-backed files and placeholder access.
The surprising part is that this does not appear to be an entirely new bug. The same underlying issue was reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. It was assigned CVE-2020-17103 and was believed to have been fixed in December 2020.
Chaotic Eclipse claims the original proof-of-concept from 2020 still works without modification. The researcher suggested that Microsoft may not have fully fixed the vulnerability at the time, or that the patch may have been reverted later for unknown reasons.
At a high level, MiniPlasma abuses the way the Cloud Filter driver handles certain registry-related operations. The flaw can allow a low-privileged user to create registry keys in areas where normal security checks should prevent access. The exploit relies on a race condition, meaning timing plays a role in whether it succeeds. Even so, confirmed tests indicate that it can be reliable enough to work on real systems.
One important limitation has been noted: the exploit reportedly does not work on the latest Windows 11 Insider Preview Canary build. That could suggest Microsoft has already changed something in newer test versions of the operating system, although no official fix for MiniPlasma has been confirmed.
MiniPlasma is not an isolated disclosure. It is part of a larger series of Windows vulnerability releases from Chaotic Eclipse over the past several weeks.
The researcher previously disclosed BlueHammer, a Windows Defender local privilege escalation vulnerability that Microsoft later patched as CVE-2026-33825. That disclosure was followed by RedSun, another reported Defender privilege escalation issue that was allegedly fixed without a public CVE. Other tools and exploits followed, including UnDefend, which interferes with Defender security definition updates; YellowKey, a BitLocker bypass involving the Windows Recovery Environment; and GreenPlasma, a CTFMON-related privilege escalation issue where part of the exploit code was withheld.
Some of these earlier disclosures were reportedly observed in real-world attacks soon after becoming public. Security researchers from Huntress confirmed exploitation of BlueHammer, RedSun, and UnDefend shortly after release, underscoring how quickly threat actors can move when working exploit details become available.
Chaotic Eclipse has been open about the motivation behind the releases, pointing to frustration with Microsoft’s handling of vulnerability reports, bug bounty processes, and patch validation. Microsoft has not issued a specific public comment on MiniPlasma at the time of writing, though the company has previously stated that it supports coordinated vulnerability disclosure as a standard security practice.
For Windows users and administrators, MiniPlasma is another reminder that staying fully patched is essential but not always enough. Because the exploit requires local access, the immediate risk is highest on systems where attackers may already have a foothold through phishing, malware, stolen credentials, or exposed remote access tools.
Organizations should monitor Windows endpoints for unusual privilege escalation activity, unexpected SYSTEM-level processes, suspicious command prompt launches, and unauthorized registry changes. Limiting standard user permissions, hardening endpoint detection, restricting script execution, and reviewing recovery and BitLocker configurations can also help reduce risk while the security community waits for an official response or patch.
MiniPlasma’s release adds pressure on Microsoft to clarify whether CVE-2020-17103 was incompletely patched, reintroduced, or bypassed in a new way. Until then, the exploit remains a serious concern for Windows 11 security, especially because it appears to affect fully updated systems rather than only outdated or neglected installations.
