CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 19, 2026

New Windows 'MiniPlasma' Zero-Day Let Attackers Gain SYSTEM Access - PoC Released - CyberSecurityNews

CyberSecurityNews Archived Jun 19, 2026 ✓ Full text saved

New Windows 'MiniPlasma' Zero-Day Let Attackers Gain SYSTEM Access - PoC Released CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released By Abinaya May 18, 2026 A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged with a public proof-of-concept exploit that allows attackers to achieve SYSTEM-level privileges on fully patched Windows systems. Security researcher Nightmare-Eclipse released the weaponized exploit on GitHub on May 13, 2026, claiming that Microsoft either failed to patch or silently rolled back the fix for a vulnerability originally reported six years ago. The flaw targets the cldflt.sys Cloud Filter driver’s HsmOsBlockPlaceholderAccess routine, which was initially discovered and reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Microsoft assigned CVE-2020-17103 to the vulnerability and reportedly fixed it in December 2020 as part of its Patch Tuesday updates. However, Nightmare-Eclipse discovered that the same issue documented in Forshaw’s original report remains exploitable without any modifications to the original proof-of-concept code. The researcher released MiniPlasma one day after Microsoft’s May 2026 Patch Tuesday, timing the disclosure to follow the patch cycle and leaving organizations without an official fix until at least the next scheduled update. The exploit has gained significant attention in the security community, with the GitHub repository accumulating over 390 stars within days of publication. MiniPlasma Zero-Day PoC Released The vulnerability allows unprivileged users to create arbitrary registry keys.DEFAULT user hive without proper access checks. According to Google Project Zero, the flaw lies in how the HsmOsBlockPlaceholderAccess function handles registry key creation, failing to specify the OBJ_FORCE_ACCESS_CHECK flag. This enables attackers to bypass normal access restrictions and write keys to the.DEFAULT user hive, even though standard users typically lack such permissions. The exploit weaponizes this behavior by exploiting a race condition that toggles between user and anonymous tokens to manipulate the RtlOpenCurrentUser function in the kernel. When the race condition succeeds, the system opens the.DEFAULT hive for writing while the thread impersonation is reverted, allowing unauthorized key creation. Nightmare-Eclipse’s proof-of-concept, published on GitHub, demonstrates reliable exploitation on multi-core systems by spawning a SYSTEM shell after successfully winning the race condition. The vulnerability affects all Windows versions, making it a significant threat to enterprise environments, workstations, and cloud-synchronized systems. Testing confirmed that running the exploit from a standard user account successfully opens a command prompt with SYSTEM privileges, granting attackers complete control over the compromised machine. The Cloud Filter driver component is integral to Windows cloud storage synchronization services like OneDrive, meaning the vulnerable code runs on a broad range of Windows installations. Organizations should monitor Microsoft’s security response and prepare to deploy patches as soon as they become available, as the public availability of working exploit code significantly increases the risk of exploitation. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News U.S. Commerce Dept Imposes Export Controls on Anthropic’s Claude Mythos 5 and Fable 5 Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass Latest News Cyber Security News Multiple Vulnerabilities in Firefox 152 Enables Remote Code Execution Attacks Cyber Security News Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate Sensitive Data Cyber Security News Hackers Abuse Microsoft Fondue.exe to Side-Load APPWIZ.cpl and Execute Malware Cyber Security News Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection AI Hackers Abuse Claude.ai Shared Chat Feature to Host the ClickFix Social Engineering Instructions
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 19, 2026
    Archived
    Jun 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗