New Windows 'MiniPlasma' Zero-Day Let Attackers Gain SYSTEM Access - PoC Released - CyberSecurityNews
CyberSecurityNewsArchived Jun 19, 2026✓ Full text saved
New Windows 'MiniPlasma' Zero-Day Let Attackers Gain SYSTEM Access - PoC Released CyberSecurityNews
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released
By Abinaya
May 18, 2026
A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged with a public proof-of-concept exploit that allows attackers to achieve SYSTEM-level privileges on fully patched Windows systems.
Security researcher Nightmare-Eclipse released the weaponized exploit on GitHub on May 13, 2026, claiming that Microsoft either failed to patch or silently rolled back the fix for a vulnerability originally reported six years ago.
The flaw targets the cldflt.sys Cloud Filter driver’s HsmOsBlockPlaceholderAccess routine, which was initially discovered and reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
Microsoft assigned CVE-2020-17103 to the vulnerability and reportedly fixed it in December 2020 as part of its Patch Tuesday updates.
However, Nightmare-Eclipse discovered that the same issue documented in Forshaw’s original report remains exploitable without any modifications to the original proof-of-concept code.
The researcher released MiniPlasma one day after Microsoft’s May 2026 Patch Tuesday, timing the disclosure to follow the patch cycle and leaving organizations without an official fix until at least the next scheduled update.
The exploit has gained significant attention in the security community, with the GitHub repository accumulating over 390 stars within days of publication.
MiniPlasma Zero-Day PoC Released
The vulnerability allows unprivileged users to create arbitrary registry keys.DEFAULT user hive without proper access checks.
According to Google Project Zero, the flaw lies in how the HsmOsBlockPlaceholderAccess function handles registry key creation, failing to specify the OBJ_FORCE_ACCESS_CHECK flag.
This enables attackers to bypass normal access restrictions and write keys to the.DEFAULT user hive, even though standard users typically lack such permissions.
The exploit weaponizes this behavior by exploiting a race condition that toggles between user and anonymous tokens to manipulate the RtlOpenCurrentUser function in the kernel.
When the race condition succeeds, the system opens the.DEFAULT hive for writing while the thread impersonation is reverted, allowing unauthorized key creation.
Nightmare-Eclipse’s proof-of-concept, published on GitHub, demonstrates reliable exploitation on multi-core systems by spawning a SYSTEM shell after successfully winning the race condition.
The vulnerability affects all Windows versions, making it a significant threat to enterprise environments, workstations, and cloud-synchronized systems.
Testing confirmed that running the exploit from a standard user account successfully opens a command prompt with SYSTEM privileges, granting attackers complete control over the compromised machine.
The Cloud Filter driver component is integral to Windows cloud storage synchronization services like OneDrive, meaning the vulnerable code runs on a broad range of Windows installations.
Organizations should monitor Microsoft’s security response and prepare to deploy patches as soon as they become available, as the public availability of working exploit code significantly increases the risk of exploitation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
U.S. Commerce Dept Imposes Export Controls on Anthropic’s Claude Mythos 5 and Fable 5
Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty
Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users
ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA
China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass
Latest News
Cyber Security News
Multiple Vulnerabilities in Firefox 152 Enables Remote Code Execution Attacks
Cyber Security News
Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate Sensitive Data
Cyber Security News
Hackers Abuse Microsoft Fondue.exe to Side-Load APPWIZ.cpl and Execute Malware
Cyber Security News
Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection
AI
Hackers Abuse Claude.ai Shared Chat Feature to Host the ClickFix Social Engineering Instructions