Critical Windows ‘MiniPlasma’ Zero-Day Grants SYSTEM Access

A critical Windows zero-day vulnerability, dubbed “MiniPlasma,” has surfaced. A public proof-of-concept exploit for this privilege escalation flaw allows attackers to achieve SYSTEM-level privileges on fully patched Windows systems.

Security researcher Nightmare-Eclipse released the weaponized exploit on GitHub on May 13, 2026, claiming that Microsoft either failed to patch or silently rolled back the fix for a vulnerability originally reported six years ago.

The flaw targets the cldflt.sys Cloud Filter driver’s HsmOsBlockPlaceholderAccess routine, which was initially discovered and reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.

Microsoft assigned CVE-2020-17103 to the vulnerability and reportedly fixed it in December 2020 as part of its Patch Tuesday updates.

However, Nightmare-Eclipse discovered that the same issue documented in Forshaw’s original report remains exploitable without any modifications to the original proof-of-concept code.

The researcher released MiniPlasma one day after Microsoft’s May 2026 Patch Tuesday, timing the disclosure to follow the patch cycle and leaving organizations without an official fix until at least the next scheduled update.

The exploit has gained significant attention in the security community, with the GitHub repository accumulating over 390 stars within days of publication.

MiniPlasma Zero-Day PoC Released

The vulnerability allows unprivileged users to create arbitrary registry keys.DEFAULT user hive without proper access checks.

According to Google Project Zero, the flaw lies in how the HsmOsBlockPlaceholderAccess function handles registry key creation, failing to specify the OBJ_FORCE_ACCESS_CHECK flag.

This enables attackers to bypass normal access restrictions and write keys to the.DEFAULT user hive, even though standard users typically lack such permissions.

The exploit weaponizes this behavior by exploiting a race condition that toggles between user and anonymous tokens to manipulate the RtlOpenCurrentUser function in the kernel.

When the race condition succeeds, the system opens the.DEFAULT hive for writing while the thread impersonation is reverted, allowing unauthorized key creation.

Nightmare-Eclipse’s proof-of-concept, published on GitHub, demonstrates reliable exploitation on multi-core systems by spawning a SYSTEM shell after successfully winning the race condition.

The vulnerability affects all Windows versions, making it a significant threat to enterprise environments, workstations, and cloud-synchronized systems.

Testing confirmed that running the exploit from a standard user account successfully opens a command prompt with SYSTEM privileges, granting attackers complete control over the compromised machine.

The Cloud Filter driver component is integral to Windows cloud storage synchronization services like OneDrive, meaning the vulnerable code runs on a broad range of Windows installations.

Organizations should monitor Microsoft’s security response and prepare to deploy patches as soon as they become available, as the public availability of working exploit code significantly increases the risk of exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.