CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 18, 2026

MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems

The Hacker News Archived May 18, 2026 ✓ Full text saved

Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems. Codenamed MiniPlasma, the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver,

Full text archived locally
✦ AI Summary · Claude Sonnet


    MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems Ravie LakshmananMay 18, 2026Zero Day / Vulnerability Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems. Codenamed MiniPlasma, the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver, and resides in a routine named "HsmOsBlockPlaceholderAccess." It was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Although it was assumed that the shortcoming was fixed by Microsoft in December 2020 as part of CVE-2020-17103, Chaotic Eclipse said further investigation has uncovered that the "exact same issue [...] is actually still present, unpatched." "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes," the researcher added. "To highlight this issue, I weaponized the original PoC to spawn a SYSTEM shell. It seems to work reliably in my machines butsuccess rate may vary since it's a race condition." The researcher further pointed out that all Windows versions are likely affected by this vulnerability. In a post shared on Mastodon, security researcher Will Dormann said MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates. "I'll note that it does not seem to work on the latest Insider Preview Canary Windows 11," Dormann pointed out. In December 2025, Microsoft also addressed another privilege escalation flaw in the same component (CVE-2025-62221, CVSS score: 7.8), which it identified as exploited by unknown threat actors. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Google Project Zero, Microsoft, privilege escalation, Vulnerability, Windows, Windows 11, Zero-Day ⚡ Top Stories This Week Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Load More ▼ ⭐ Featured Resources [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage [Webinar] Learn How to Handle Critical SOC Alerts With AI Support [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk Identify Internal Attack Surfaces More Efficiently With a Free Assessment
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    May 18, 2026
    Archived
    May 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗