Chaotic Eclipse, the security researchers behind the recently revealed Windows flaws YellowKey and GreenPlasma, has released a proof of concept (PoC) for a Windows privilege escalation zero-day flaw that grants an attacker SYSTEM privileges on a fully patched Windows system.
Codenamed MiniPlasma, the vulnerability affects ‘cldflt.sys’, which refers to the Windows Cloud Files Mini Filter Driver, and resides in a routine named ‘HsmOsBlockPlaceholderAccess’, it said, adding that the vulnerability was first reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
The flaw was thought to have been fixed by Microsoft as part of CVE-2020-17103 in December 2020, but Chaotic Eclipse said further investigation “found that the exact same issue existed.” […] It’s actually still there and hasn’t been patched. ”
“We do not know whether Microsoft simply did not patch this issue or whether the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes,” the researchers added. “To highlight this issue, I weaponized the original PoC to generate a SYSTEM shell. It seems to work reliably on my machine, but success rates may vary due to race conditions.”
The researchers further noted that all Windows versions can be affected by this vulnerability.
In a post shared on Mastodon, security researcher Will Dorman said MiniPlasma “reliably” works for opening “cmd.exe” prompts with SYSTEM privileges on Windows 11 systems running the latest May 2026 update. “The latest Insider Preview Canary does not appear to work on Windows 11,” Dormann noted.
In December 2025, Microsoft also addressed another privilege escalation flaw in the same component (CVE-2025-62221, CVSS score: 7.8), which we identified as being exploited by an unknown attacker.
Source link
