MiniPlasma: Public cldflt.sys Exploit Grants SYSTEM on Fully Patched Windows

Photo of author

CyberSecureFox Editorial Team

A security researcher under the alias Chaotic Eclipse has released a working exploit named MiniPlasma, which allows obtaining SYSTEM-level privileges on fully up-to-date Windows systems. The vulnerability affects the cldflt.sys driver (Windows Cloud Files Mini Filter Driver) and, according to the researcher, represents the same issue that Google Project Zero discovered back in 2020 and which was apparently never fully fixed. The public PoC code is available on GitHub, making the threat relevant to all administrators of Windows infrastructures.

Technical details of the vulnerability

The vulnerability is located in the HsmOsBlockPlaceholderAccess routine within the cldflt.sys driver — a mini-filter responsible for working with cloud files in Windows. By its nature, this is a race condition, which means exploitation success may vary depending on the configuration and load of the target system.

The timeline of the issue deserves particular attention:

  • In September 2020, Google Project Zero researcher James Forshaw reported the issue to Microsoft.
  • In December 2020, Microsoft released a fix as part of CVE-2020-17103.
  • According to Chaotic Eclipse, the original PoC from Google Project Zero works on current systems without any modifications, which calls into question the effectiveness of the released patch.

The researcher notes that it is unclear whether the patch was incomplete from the outset or was rolled back at some stage. To demonstrate the problem, he modified the original PoC so that the exploit spawns a command shell with SYSTEM privileges.

Independent validation

An important confirmation of the exploit’s effectiveness came from an independent test conducted by well-known security researcher Will Dormann. According to his post on Mastodon, MiniPlasma “reliably” opens cmd.exe with SYSTEM privileges on Windows 11 systems with updates installed through May 2026. At the same time, Dormann indicated that the exploit does not work on the latest Windows 11 Insider Preview Canary build, which may indicate the presence of a fix in pre-release builds.

This fact indirectly confirms that Microsoft may be aware of the issue and working on a fix; however, there is no official confirmation from the company at the time of publication.

Related vulnerabilities in the same component

It is worth noting that in December 2025, Microsoft had already fixed another privilege escalation vulnerability in cldflt.sys — CVE-2025-62221 (CVSS 7.8), which, according to available information, had been exploited by unidentified attackers. The presence of several vulnerabilities in the same driver points to systemic security issues in this component.

Impact assessment

Local privilege escalation to SYSTEM is one of the most critical classes of vulnerabilities in corporate environments. Once an attacker obtains SYSTEM access, they can:

  • Disable security tools, including antivirus software and EDR solutions
  • Extract credentials from process memory
  • Install persistent backdoors
  • Move laterally across the organization’s network

Although exploitation requires local access to the system, in practice this limitation is easily overcome: attackers typically gain initial access through phishing or exploitation of web services and then use privilege escalation vulnerabilities to establish persistence. Public availability of a PoC significantly lowers the barrier to entry.

Protection recommendations

Until Microsoft releases an official fix, the following measures are recommended:

  • Monitor cldflt.sys activity: configure detection rules in SIEM/EDR to track anomalous activity related to the Cloud Files Mini Filter driver. Pay attention to unusual instances of cmd.exe or powershell.exe being spawned with SYSTEM privileges.
  • Evaluate the necessity of the component: if Windows cloud file functionality (OneDrive, Windows Cloud Files) is not used in your infrastructure, consider disabling or restricting loading of the cldflt.sys driver via Group Policy.
  • Strengthen access control: minimize the number of users with local access to servers and workstations. The vulnerability requires local code execution, so restricting initial access is a key defensive boundary.
  • Track updates: closely monitor Microsoft patch releases related to cldflt.sys and CVE-2020-17103. The fact that the exploit does not work on Canary builds may indicate that a fix will appear soon in stable versions.

Given the public availability of a working exploit and independent confirmation of its effectiveness on current Windows 11 systems, the response priority is high. Organizations should immediately assess the use of the Cloud Files Mini Filter component in their infrastructure and implement compensating detection measures until an official patch from Microsoft is released.

Photo of author

CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CyberSecureFox

© 2026 INFO

About

About

Authors

Contact

Editorial

Editorial Standards

Corrections

Legal

Privacy Policy

Terms of Service