A new Windows vulnerability called MiniPlasma has recently become a serious concern in the cybersecurity community. Researchers discovered that the exploit can give attackers full SYSTEM-level access on fully updated Windows systems. What makes this issue more dangerous is that the vulnerability reportedly works even after installing the latest May 2026 Windows security updates. Because of this, many security experts are calling it a major Windows zero-day threat.

The vulnerability was publicly revealed by cybersecurity researcher Chaotic Eclipse, also known as Nightmare Eclipse online. The researcher also released a proof-of-concept exploit and source code publicly for testing and research purposes. According to the findings, Microsoft may not have fully fixed the original vulnerability in previous updates. Some researchers also believe later Windows updates may have unintentionally reintroduced the weakness into the operating system again.

Researchers say the flaw is connected to cldflt.sys, which is the Windows Cloud Files Mini Filter Driver. This driver is mainly used by cloud-related services such as OneDrive and file synchronization features inside Windows. The vulnerability reportedly exists inside a function called HsmOsBlockPlaceholderAccess within the driver itself. Since this driver is part of Windows, the exploit can affect normal systems without requiring additional software installations.

Interestingly, the MiniPlasma issue has been linked to an older vulnerability identified as CVE-2020-17103. That older flaw was originally discovered in 2020 by Google Project Zero researcher James Forshaw. Microsoft released a security patch for the issue in December 2020 and considered the vulnerability fixed at that time. However, recent investigations now suggest that the weakness may still exist in modern Windows versions even today.

During demonstrations performed by security researchers, the exploit successfully gave a low-privileged account full SYSTEM access. SYSTEM privileges are among the highest permission levels available inside the Windows operating system. With this access, attackers can gain almost complete control over the targeted machine without restrictions. Researchers confirmed that the exploit reportedly works on fully patched public Windows 11 builds released this year.

Security experts warn that SYSTEM-level access is extremely dangerous because it allows attackers to perform critical actions. Cybercriminals could disable antivirus software, install hidden malware, steal passwords, or access sensitive files stored on the computer. Attackers may also use the exploit to maintain long-term control over infected systems without being easily detected. Because of these risks, the vulnerability is being treated as a high-priority security issue by researchers worldwide.

Technical analysis suggests the exploit abuses the way Windows handles registry key creation through an undocumented API called CfAbortHydration. Researchers believe improper security checks inside the .DEFAULT registry hive make privilege escalation possible in this case. Independent security researcher Will Dormann also reportedly tested the exploit on public Windows 11 builds successfully. However, reports claim the exploit does not work on newer Windows Insider Canary builds, suggesting Microsoft may already be testing an internal fix.

At the moment, Microsoft has not released an official emergency patch or detailed public advisory specifically for MiniPlasma. Until a proper fix becomes available, users and organizations are being advised to remain cautious while using Windows systems. Security experts recommend avoiding suspicious files, limiting unnecessary permissions, and keeping security software fully enabled and updated. The MiniPlasma incident once again shows that even fully patched systems may still contain hidden security weaknesses.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news