New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released
Cybersecurity NewsArchived May 18, 2026✓ Full text saved
A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged with a public proof-of-concept exploit that allows attackers to achieve SYSTEM-level privileges on fully patched Windows systems. Security researcher Nightmare-Eclipse released the weaponized exploit on GitHub on May 13, 2026, claiming that Microsoft either failed to patch or silently rolled back the fix for […] The post New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released
By Abinaya
May 18, 2026
A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged with a public proof-of-concept exploit that allows attackers to achieve SYSTEM-level privileges on fully patched Windows systems.
Security researcher Nightmare-Eclipse released the weaponized exploit on GitHub on May 13, 2026, claiming that Microsoft either failed to patch or silently rolled back the fix for a vulnerability originally reported six years ago.
The flaw targets the cldflt.sys Cloud Filter driver’s HsmOsBlockPlaceholderAccess routine, which was initially discovered and reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
Microsoft assigned CVE-2020-17103 to the vulnerability and reportedly fixed it in December 2020 as part of its Patch Tuesday updates.
However, Nightmare-Eclipse discovered that the same issue documented in Forshaw’s original report remains exploitable without any modifications to the original proof-of-concept code.
The researcher released MiniPlasma one day after Microsoft’s May 2026 Patch Tuesday, timing the disclosure to follow the patch cycle and leaving organizations without an official fix until at least the next scheduled update.
The exploit has gained significant attention in the security community, with the GitHub repository accumulating over 390 stars within days of publication.
MiniPlasma Zero-Day PoC Released
The vulnerability allows unprivileged users to create arbitrary registry keys.DEFAULT user hive without proper access checks.
According to Google Project Zero, the flaw lies in how the HsmOsBlockPlaceholderAccess function handles registry key creation, failing to specify the OBJ_FORCE_ACCESS_CHECK flag.
This enables attackers to bypass normal access restrictions and write keys to the.DEFAULT user hive, even though standard users typically lack such permissions.
The exploit weaponizes this behavior by exploiting a race condition that toggles between user and anonymous tokens to manipulate the RtlOpenCurrentUser function in the kernel.
When the race condition succeeds, the system opens the.DEFAULT hive for writing while the thread impersonation is reverted, allowing unauthorized key creation.
Nightmare-Eclipse’s proof-of-concept, published on GitHub, demonstrates reliable exploitation on multi-core systems by spawning a SYSTEM shell after successfully winning the race condition.
The vulnerability affects all Windows versions, making it a significant threat to enterprise environments, workstations, and cloud-synchronized systems.
Testing confirmed that running the exploit from a standard user account successfully opens a command prompt with SYSTEM privileges, granting attackers complete control over the compromised machine.
The Cloud Filter driver component is integral to Windows cloud storage synchronization services like OneDrive, meaning the vulnerable code runs on a broad range of Windows installations.
Organizations should monitor Microsoft’s security response and prepare to deploy patches as soon as they become available, as the public availability of working exploit code significantly increases the risk of exploitation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Critical SandboxJS Escape Vulnerability Enables Host Takeover
Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access
Foxconn Confirms Cyberattack After Nitrogen Ransomware Gang Claim
TeamPCP Compromised Checkmarx Jenkins AST Plugin Following KICS Supply Chain Attack
Trending Hugging Face Repo With 200k Downloads Executes Malware on Windows Machines
Latest News
Cyber Attack News
Fast16 Malware Manipulated Nuclear Weapons Simulation Data to Sabotage Test Results
Cyber Security News
Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks
Cyber Security News
Grafana Labs Security Breach – Hackers Access GitHub and Download Codebase
Cyber Security News
First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days
Cyber Security News
Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2