A newly disclosed Windows zero-day vulnerability in the Cloud Files Mini Filter Driver allows attackers to gain SYSTEM privileges on fully patched systems, with a proof-of-concept already available.
A critical Windows zero-day vulnerability dubbed MiniPlasma is enabling attackers to gain SYSTEM privileges on fully patched Windows systems, with a proof-of-concept exploit already circulating in security circles. The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys) and represents a significant security risk across all Windows versions.
The MiniPlasma Vulnerability Explained
MiniPlasma resides in a routine named "HsmOsBlockPlaceholderAccess" within the cldflt.sys component, which handles cloud file operations in Windows. According to Chaotic Eclipse, the security researcher behind the disclosure, this vulnerability was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.
What makes MiniPlasma particularly concerning is that it was believed to have been fixed in December 2020 as part of CVE-2020-17103. However, further investigation has revealed that "the exact same issue [...] is actually still present, unpatched." Chaotic Eclipse noted uncertainty about whether Microsoft never properly addressed the issue or if the patch was silently rolled back for unknown reasons.
"I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes," the researcher explained.
Proof-of-Concept and Exploitation
Chaotic Eclipse has weaponized the original proof-of-concept to spawn a SYSTEM shell, demonstrating the vulnerability's real-world impact. "It seems to work reliably in my machines but success rate may vary since it's a race condition," the researcher added.
Security researcher Will Dormann confirmed the vulnerability's effectiveness in practice. In a post shared on Mastodon, Dormann stated that MiniPlasma works "reliably" to open a "cmd.exe" prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates.
"I'll note that it does not seem to work on the latest Insider Preview Canary Windows 11," Dormann pointed out, suggesting that some recent builds may have addressed the issue.
Affected Systems and Historical Context
The vulnerability appears to affect all Windows versions, though Dormann's testing focused on Windows 11 with May 2026 updates. This isn't the first time this component has been problematic for Microsoft.
In December 2025, Microsoft addressed another privilege escalation flaw in the same component (CVE-2025-62221, CVSS score: 7.8), which the company identified as being exploited by unknown threat actors. This pattern of vulnerabilities in the Cloud Files Mini Filter Driver suggests it represents a persistent security challenge for Microsoft.
Technical Analysis
The MiniPlasma vulnerability leverages a race condition in the HsmOsBlockPlaceholderAccess routine. Race conditions occur when the timing of operations allows for unexpected behavior that wasn't accounted for in the code design. In this case, attackers can manipulate the timing of operations to trick the system into granting elevated privileges.
The fact that the original proof-of-concept from 2020 still works without modification indicates a fundamental design flaw rather than a simple implementation error. This makes the vulnerability particularly difficult to patch without potentially breaking legitimate functionality.
Mitigation Strategies
While Microsoft has not yet released an official patch for MiniPlasma, organizations can take several steps to mitigate the risk:
Restrict Access to cldflt.sys: Security teams can implement application control policies to prevent unauthorized access to the vulnerable driver.
Network Segmentation: Limit the attack surface by implementing network segmentation, particularly for systems handling sensitive data.
Principle of Least Privilege: Ensure user accounts have only the minimum privileges necessary to perform their functions.
Monitor for Suspicious Activity: Implement monitoring for unusual system behavior, particularly around cloud file operations.
Consider Temporary Mitigations: Some organizations may choose to temporarily disable the Cloud Files Mini Filter Driver functionality, though this may impact legitimate cloud file operations.
Industry Response
The security community has been quick to respond to the disclosure. Security researchers are analyzing the vulnerability to understand its full impact and potential variations. Microsoft has been notified but has not yet commented on the timeline for a patch.
This disclosure comes at a time when Windows security is under increased scrutiny, with several high-profile vulnerabilities disclosed in recent months. The MiniPlasma vulnerability highlights the challenges of maintaining security in complex operating systems with millions of lines of code.
Looking Forward
Organizations should monitor Microsoft's security channels for updates on this vulnerability. Given the severity of the issue (SYSTEM privilege escalation on fully patched systems), organizations should prioritize monitoring and implementing temporary mitigations until a permanent patch is available.
The MiniPlasma vulnerability serves as a reminder that even well-audited code can contain persistent flaws that evade detection for years. It also underscores the importance of continued security research and responsible disclosure practices in maintaining the security of widely used software platforms.
For more information on this vulnerability, organizations can refer to the original disclosure by Chaotic Eclipse and the analysis provided by security researchers in the community. Microsoft's security advisory page should be checked regularly for updates on this issue.
Comments
Please log in or register to join the discussion