Skip to content

MiniPlasma: Windows Security Flaw Enables System Privileges on Patched Systems

The Point: A Windows vulnerability known since 2020 (MiniPlasma) remains unpatched and enables SYSTEM privileges on current Windows systems. Microsoft appears to have either never fully resolved the issue or subsequently rolled back the patch.

A Windows security flaw known as MiniPlasma allows attackers to obtain SYSTEM privileges on fully updated Windows systems. Security researcher Chaotic Eclipse has published a proof-of-concept and suspects that the vulnerability, known since 2020, was never fully patched by Microsoft.

Chaotic Eclipse, the security researcher behind the recently disclosed Windows bugs YellowKey and GreenPlasma, has published a proof-of-concept (PoC) for a Windows privilege escalation security flaw. The vulnerability, referred to as MiniPlasma, affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), specifically the “HsmOsBlockPlaceholderAccess” routine.

Google Project Zero researcher James Forshaw had already reported the flaw to Microsoft in September 2020. It was believed that Microsoft patched the issue in December 2020 under CVE-2020-17103. However, Chaotic Eclipse discovered that “the exact same problem is actually still present and unpatched.”

The researcher leveraged the original PoC to launch a SYSTEM shell. “It works reliably on my systems, but the success rate can vary because it is a race condition,” he explained. Since it is a timing-dependent vulnerability, reliability differs, but security researcher Will Dormann confirmed that MiniPlasma works reliably on Windows 11 systems with the latest May 2026 updates and opens a cmd.exe command prompt with SYSTEM privileges.

Currently, it is likely that all Windows versions are affected by this vulnerability. Interestingly, the exploit does not work on the latest Insider Preview Canary version of Windows 11. In December 2025, Microsoft already fixed another privilege escalation flaw in the same component (CVE-2025-62221, CVSS score: 7.8), which unknown threat actors have already been exploiting.

Share on: