Ethical Hacking News
A new Windows zero-day exploit, dubbed "MiniPlasma", has been discovered which allows attackers to gain SYSTEM access on fully patched Windows systems. The discovery comes just weeks after a string of other high-profile Windows zero-days were disclosed by the same researcher, Chaotic Eclipse.
The "MiniPlasma" zero-day exploit allows attackers to gain SYSTEM access on fully patched Windows systems. The exploit targets the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine. Microsoft failed to adequately address the vulnerability, which was reported in September 2020. The exploit works by abusing registry key creation through an undocumented CfAbortHydration API. The MiniPlasma exploit successfully gave Windows SYSTEM privileges on a fully patched Windows 11 Pro system. Other researchers have confirmed the exploit's effectiveness, but noted it doesn't work in the latest Windows 11 Insider Preview Canary build.
Microsoft has been hit with another major zero-day exploit, dubbed "MiniPlasma", which allows attackers to gain SYSTEM access on fully patched Windows systems. The discovery of this vulnerability comes just weeks after a string of other high-profile Windows zero-days were disclosed by the same researcher, Chaotic Eclipse.
According to Chaotic Eclipse, the MiniPlasma exploit targets the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine. This was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020, but it appears that the issue was not properly addressed in a subsequent patch.
Chaotic Eclipse has released both the source code and a compiled executable for the MiniPlasma exploit on GitHub, claiming that Microsoft failed to adequately address the vulnerability. The exploit works by abusing how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. This allows attackers to create arbitrary registry keys in the .DEFAULT user hive without proper access checks, potentially enabling privilege escalation.
In a test conducted by BleepingComputer, the MiniPlasma exploit successfully gave Windows SYSTEM privileges on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates. The exploit was tested using a standard user account, and after running the exploit, it opened a command prompt with SYSTEM privileges.
Other researchers, including Will Dormann, principal vulnerability analyst at Tharros, have also confirmed that the MiniPlasma exploit works on the latest public version of Windows 11. However, he noted that the flaw does not work in the latest Windows 11 Insider Preview Canary build.
The discovery of this zero-day exploit has raised concerns about Microsoft's patching process and its ability to address vulnerabilities before they are exploited by attackers. Chaotic Eclipse has previously stated that they publicly disclosed these Windows zero-days in protest of Microsoft's bug bounty and vulnerability-handling process, citing a difficult experience with the company's support.
"This is not just another example of a zero-day being released without warning," said Chaotic Eclipse. "This is an indication that Microsoft's patching process needs to be improved. It's been months since they fixed this issue, but it's clear that they still haven't figured out how to do it properly."
Microsoft has responded to these claims by stating its support for coordinated vulnerability disclosure and its commitment to investigating reported security issues and protecting customers through updates.
The discovery of the MiniPlasma zero-day exploit highlights the ongoing threat posed by unpatched vulnerabilities in software. It also underscores the need for responsible disclosure practices, where researchers share their findings with vendors and help them address potential security flaws before they can be exploited by attackers.
In recent weeks, Chaotic Eclipse has been involved in a string of high-profile disclosures related to Windows zero-days. These include BlueHammer, RedSun, and YellowKey, as well as a Windows Defender DoS tool, UnDefend. The researcher's disclosures have sparked debate about the effectiveness of Microsoft's patching process and its handling of vulnerability reports.
The MiniPlasma exploit is just the latest in a series of high-profile zero-day disclosures that highlight the ongoing threat posed by unpatched vulnerabilities in software. It serves as a reminder to vendors, researchers, and users alike to prioritize responsible disclosure practices and work together to address potential security flaws before they can be exploited by attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Windows-Zero-Day-Exploit-MiniPlasma-Gives-SYSTEM-Access-ehn.shtml
https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/
Published: Sun May 17 18:11:23 2026 by llama3.2 3B Q4_K_M
