A critical Windows privilege escalation zero-day vulnerability, codenamed MiniPlasma, has been publicly disclosed by security researcher Chaotic Eclipse. This flaw grants attackers SYSTEM privileges on fully patched Windows systems, raising significant security concerns for users worldwide. The vulnerability targets the Windows Cloud Files Mini Filter Driver (cldflt.sys) and was reportedly fixed by Microsoft in December 2020.
However, further investigation by Chaotic Eclipse revealed that the original issue, initially reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020, remains unpatched. This discovery means that despite previous assumptions of a fix, an identical vulnerability persists, potentially exposing a wide range of Windows versions to elevated access by malicious actors.
MiniPlasma: A Persistent Windows Privilege Escalation Threat
The MiniPlasma vulnerability resides within a routine named “HsmOsBlockPlaceholderAccess” in the cldflt.sys component. Chaotic Eclipse claims that their investigation uncovered the vulnerability’s continued presence, stating that the original proof-of-concept (PoC) provided by Google still functions without modification. This suggests that Microsoft may have either failed to adequately address the flaw or that a previous patch was silently reverted.
“I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons,” the researcher stated, as reported by security news outlets. Chaotic Eclipse has weaponized the original PoC to demonstrate its capability of spawning a SYSTEM shell, indicating its potential for exploitation.
Uncertainty Around Patching and Scope
The researcher indicated that the vulnerability’s success rate is contingent on race conditions, meaning exploitation could vary between systems. Furthermore, Chaotic Eclipse suggests that all Windows versions are likely susceptible to this privilege escalation flaw. This broad potential impact amplifies the urgency for Microsoft to issue a definitive and effective patch.
Security researcher Will Dormann corroborated the findings, noting that MiniPlasma reliably opened a command prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates. However, Dormann observed that the exploit did not appear to function on the most recent Windows 11 Insider Preview Canary builds, suggesting potential ongoing internal testing or mitigation efforts by Microsoft.
Background of Cloud Files Mini Filter Driver Flaws
This discovery follows a pattern of security issues impacting the Windows Cloud Files Mini Filter Driver. In December 2025, Microsoft addressed a separate privilege escalation vulnerability within the same component, identified as CVE-2025-62221. This earlier flaw, which carried a CVSS score of 7.8, was noted by Microsoft as having been exploited by unidentified threat actors.
The continued presence of vulnerabilities in critical system components like the Cloud Files Mini Filter Driver underscores the persistent challenges in maintaining robust cybersecurity. The disclosure of MiniPlasma by Chaotic Eclipse prompts renewed attention on Microsoft’s patching processes and the thoroughness of its vulnerability remediation efforts. Users and organizations are advised to remain vigilant and monitor for official security advisories from Microsoft regarding this newly identified risk.
The next expected step is for Microsoft to acknowledge the reported MiniPlasma vulnerability and provide an official statement on its status and remediation plans. The success of future exploits will likely depend on the race condition element and the effectiveness of any forthcoming patches. Users should prioritize applying all available Windows security updates as they are released, particularly those addressing privilege escalation, to mitigate potential risks.