MiniPlasma: Windows LPE Zero-Day Works on Fully Patched Systems—Microsoft's 2020 Patch Apparently Never Took

What's Happening

A researcher known as Chaotic Eclipse (also called Nightmare Eclipse) released working exploit code for a Windows privilege escalation flaw that Microsoft supposedly fixed six years ago. The vulnerability, CVE-2020-17103, allows a standard user to spawn a SYSTEM-level command prompt on fully patched Windows 11 systems running the latest May 2026 updates.

The catch: the original bug was reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Microsoft claimed it fixed the issue in December 2020. Either the patch never actually worked, or it was silently rolled back at some point.

Chaotic Eclipse's take: "The original PoC by Google worked without any changes."

BleepingComputer tested the PoC on a fully patched Windows 11 Pro system (May 2026 Patch Tuesday). Result: standard user account → SYSTEM shell. Confirmed working.

Technical Details

Vulnerability: Improper access checks in the Windows Cloud Filter driver (cldflt.sys), specifically the HsmOsBlockPlaceholderAccess routine.

Attack vector: The exploit abuses how the driver handles registry key creation through an undocumented CfAbortHydration API. The original Forshaw report stated that arbitrary registry keys could be created in the .DEFAULT user hive without proper access control, allowing privilege escalation to SYSTEM.

Scope: Works on fully patched Windows 11 public release. Does NOT work on Windows 11 Insider Preview Canary build (suggests Microsoft is testing a real fix there, finally).

Impact: Local privilege escalation. Requires execution on the target system, but can be chained with other RCE vulnerabilities to achieve remote SYSTEM access.

⚠️ For Windows Infrastructure: Any system running Windows 11 or Server 2022/2025 with standard user access is exploitable. No patches released yet. Assume PoC will be weaponized within days.

Context: The Researcher's Disclosure Pattern

This is not the first time Chaotic Eclipse has dropped zero-days. Over the past two months:

April 2026:

• BlueHammer (CVE-2026-33825): Windows LPE, exploited in the wild post-disclosure
• RedSun: Windows LPE; Microsoft allegedly patched silently without CVE assignment
• UnDefend: Windows Defender DoS tool

May 2026:

• YellowKey: BitLocker bypass affecting Windows 11/Server 2022/2025 (spawns command shell with BitLocker unlocked—no PIN required on TPM-only configs)
• GreenPlasma: Details sparse; appears to be another escalation variant
• MiniPlasma: CVE-2020-17103 resurrect

Pattern: All released as public PoC + compiled executable on GitHub. All appear to work on current systems. Researcher claims all are exploited in the wild post-disclosure.

Why the Disclosure Spree?

Chaotic Eclipse stated they are publicly releasing Windows zero-days as protest against Microsoft's bug bounty and vulnerability handling process. According to the researcher, Microsoft representatives allegedly threatened them and handled reported vulnerabilities poorly, resulting in damage to their professional reputation.

Direct quote: "They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision."

Microsoft has not publicly responded to these allegations. The company told BleepingComputer that it "supports coordinated vulnerability disclosure" and is "committed to investigating reported security issues."

⚠️ Translation: Microsoft is likely investigating, but the fact that a 2020 patch apparently never worked suggests their QA/validation process has gaps. Expect patches in June or July Patch Tuesday, but don't count on urgency.

Detection & Mitigation

Immediate Assessment

1. Check if your Windows systems are exposed:
   • Standard user accounts with local execution rights → HIGH RISK
   • Servers exposed to untrusted network or allow Remote Desktop with weak auth → CRITICAL
   • Air-gapped systems with no unprivileged accounts → LOW RISK
2. Detect exploitation:
   • Monitor for cldflt.sys ioctl calls with suspicious registry operations
   • Look for unexpected SYSTEM processes spawned from standard user sessions (check Windows Event Viewer: Security log, Event ID 4688)
   • Unusual activity in .DEFAULT user registry hive creation
3. Temporary containment:
   • Disable Cloud Filter driver if not in use: sc config cldflt start=disabled
   • Restart system after change
   • Verify with: sc query cldflt
   • ⚠️ May break cloud/OneDrive integration; test in lab first

No Patch Yet

Microsoft has not released a patch for CVE-2020-17103 re-emergence. Workarounds are limited to disabling the affected driver or restricting standard user execution privileges.

Hardening

Restrict unprivileged execution:

• Disable standard accounts from running .exe files in sensitive directories
• Use AppLocker or Windows Defender Application Control (WDAC) to block non-approved binaries
• Enforce Windows Sandbox for untrusted binaries (add latency; not bulletproof)

Harden registry access:

• Audit and restrict who can write to .DEFAULT hive: icacls "HKLM\DEFAULT" /reset /t
• Monitor with Sysmon: log registry creation under .DEFAULT from non-SYSTEM processes

Monitor Cloud Filter usage:

• If not using OneDrive, cloud sync, or Windows Search integration, disable cldflt.sys entirely
• If you need it, monitor for suspicious ioctl calls with ETW (Event Tracing for Windows)

What's Next

1. Microsoft will likely patch in June or July Patch Tuesday (speculation, but pattern suggests they don't move fast on re-disclosed issues)
2. PoC will be weaponized within 1–2 weeks if not already (typical for public exploits)
3. Red team activity will spike; expect MiniPlasma chains in targeted attacks
4. Researcher will likely release more zero-days if Microsoft doesn't engage on the disputed CVE-2020-17103 handling

References

• Google Project Zero Issue 42451192: CVE-2020-17103 original report (Forshaw, Sept 2020)
• Chaotic Eclipse GitHub: MiniPlasma PoC + compiled binary (public)
• BleepingComputer test: Confirmed working on Windows 11 Pro May 2026 Patch Tuesday
• Will Dormann (Tharros): Confirmed; doesn't work on Windows 11 Insider Canary
• Related zero-days: BlueHammer (CVE-2026-33825), RedSun, YellowKey, GreenPlasma