www.it-connect.fr
Windows 11 Zero-Day MiniPlasma Grants SYSTEM Privileges
MiniPlasma is the name of a Windows zero-day flaw disclosed by researcher Chaotic Eclipse. This exploit allows an attacker to gain access with SYSTEM privileges, even on fully up-to-date Windows 11 machines. Here's what we know.
MiniPlasma: the reappearance of a 2020 flaw
Researcher Chaotic Eclipse (also known as Nightmare Eclipse) continues to take aim at Microsoft: he has published a GitHub proof of concept (PoC) for a vulnerability nicknamed MiniPlasma.
The MiniPlasma exploit highlights a flaw in Windows and specifically targets the Cloud Filter driver (cldflt.sys) by exploiting a weakness in the way the HsmOsBlockPlaceholderAccess routine handles the registry. The attack relies on the CfAbortHydration API, an undocumented function provided by the vendor, which allows keys to be injected directly into the .DEFAULT user hive. The problem is that security checks are bypassed during the operation, which means this exploit opens the door to obtaining SYSTEM privileges.
For example, exploiting this vulnerability makes it possible to obtain a Command Prompt with SYSTEM privileges (including with the May 2026 patch installed). That makes it possible to do anything on the Windows system.
As Chaotic Eclipse explains, this vulnerability is not new. "After checking, it turns out that the issue reported to Microsoft by Google Project Zero is still present and has not been patched. I don't know whether Microsoft simply never fixed this issue or whether the patch was quietly rolled back at some point for unknown reasons. The original Google PoC worked without any modification.", can be read on GitHub.
Indeed, this exploit nicknamed MiniPlasma appears to correspond to a flaw originally reported in September 2020 by James Forshaw: CVE-2020-17103. Microsoft had, in theory, patched it in the December 2020 Patch Tuesday. But apparently, something was missed.
A researcher's revenge against Microsoft...
For several weeks now, Chaotic Eclipse has been publishing one critical Windows zero-day after another... It all started with three security flaws related to Windows Defender, and then he moved on to other components such as BitLocker.
Here's a quick recap:
- BlueHammer (CVE-2026-33825) and RedSun (no CVE identifier): local privilege escalation.
- UnDefend: a denial-of-service tool targeting Windows Defender (exploited in attacks with the two other Defender flaws)
- YellowKey: a BitLocker bypass allowing access to encrypted drives on Windows 11 and Windows Server 2022/2025.
- GreenPlasma: another exploit disclosed this month alongside YellowKey, whose exploitation goes through Windows CTFMON.
As a reminder, Chaotic Eclipse's motivations are part of a protest against Microsoft's Bug Bounty and vulnerability management process. This is probably not over, as he has more surprises planned...
