Chaotic Eclipse Releases MiniPlasma — A Five-Year-Old Windows Zero-Day That Still Grants SYSTEM Privileges on Fully Patched Systems
Chaotic Eclipse has released a third wave of Windows zero-day disclosures, publishing a proof-of-concept for a privilege escalation vulnerability codenamed MiniPlasma that grants SYSTEM privileges on fully patched Windows systems — including those running the latest May 2026 updates.
The flaw resides in cldflt.sys, the Windows Cloud Files Mini Filter Driver, specifically in a routine named HsmOsBlockPlaceholderAccess. What makes this disclosure particularly damaging for Microsoft is the vulnerability's history: it was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and was believed to have been patched in December 2020 as CVE-2020-17103.
It wasn't. Chaotic Eclipse discovered that the exact same issue remains present and unpatched — either Microsoft never fully remediated it or the fix was silently rolled back at some point. The original Google Project Zero proof-of-concept still worked without modification. Chaotic Eclipse weaponized it to spawn a SYSTEM shell, noting it works reliably on test machines though success rates may vary given the underlying race condition.
Security researcher Will Dormann independently confirmed the exploit works reliably on Windows 11 systems running the May 2026 cumulative updates, producing a cmd.exe prompt with full SYSTEM privileges. Dormann noted the exploit does not appear to work on the latest Insider Preview Canary build, which may indicate Microsoft has quietly addressed the issue in pre-release code without yet shipping a production fix.
The vulnerability likely affects all Windows versions, given its presence in a core kernel driver that has existed across multiple Windows generations. The Cloud Files Mini Filter Driver has a troubled security track record — Microsoft patched a separate privilege escalation in the same component (CVE-2025-62221, CVSS 7.8) in December 2025 after it was found being exploited by unknown threat actors.
This is the third round of zero-day disclosures from Chaotic Eclipse, following BlueHammer, RedSun, and UnDefend (targeting Microsoft Defender, covered in ZDW article #193) and YellowKey and GreenPlasma (BitLocker bypass and CTFMON escalation, article #202). The researcher has been publicly vocal about dissatisfaction with Microsoft's vulnerability handling process, and this latest disclosure — resurrecting a five-year-old bug that was supposed to be fixed — adds significant weight to that criticism.
Mitigation:
There is no production patch available. Monitor for exploitation indicators including suspicious activity involving cldflt.sys and unexpected SYSTEM-level process spawning. The race condition nature of the exploit means behavioral detection focused on rapid privilege transitions may catch exploitation attempts. Organizations running Windows in high-security environments should monitor Microsoft's advisory channels for an emergency patch. The fact that the Insider Preview Canary build appears unaffected suggests a fix may be in Microsoft's pipeline but has not yet reached production. Given Chaotic Eclipse's pattern of disclosures leading to rapid in-the-wild exploitation — BlueHammer was weaponized within days — treat this as an active threat rather than a theoretical risk.
