A Windows privilege escalation exploit called MiniPlasma, disclosed by researcher Chaotic Eclipse, allows standard users to gain SYSTEM-level access on fully patched Windows 11 machines running Microsoft’s May 2026 updates. The underlying bug was originally reported by Google Project Zero’s James Forshaw in September 2020, assigned CVE-2020-17103, and supposedly patched in December 2020. Vulnerability analyst Will Dormann confirmed the exploit works on current public builds. The publicly released proof-of-concept code targets the Cloud Filter driver’s cldflt.sys component, making this a serious active threat rather than a theoretical vulnerability.
In-Depth:
A new Windows flaw called MiniPlasma has turned an old repair into a fresh headache for security teams. A working proof of concept now lets a standard applyr jump to SYSTEM on affected machines, which modifys this from a research note into an active patching problem.
For startups and enterprises that run Windows infrastructure, that matters immediately. SYSTEM access is the kind of foothold that can be applyd to install software, alter files, tamper with security tools, and shift sideways across a network with very little resistance.
MiniPlasma is the latest disclosure from a researcher known as Chaotic Eclipse, also called Nightmare Eclipse, and it centers on Windows Cloud Filter driver code tied to cldflt.sys. According to BleepingComputer, the exploit was released with source code and a compiled executable, and it worked on a fully patched Windows 11 Pro machine running Microsoft’s May 2026 updates. Will Dormann, a principal vulnerability analyst at Tharros, also confirmed that the exploit worked on the latest public Windows 11 build, although not on the newest Insider Canary build.
The uncomfortable detail is that the underlying issue is not new. The bug was originally reported by Google Project Zero researcher James Forshaw in September 2020, assigned CVE-2020-17103, and Microsoft stated it repaired it in December 2020. BleepingComputer reported that the researcher now believes the exact same flaw is still present, or that the original patch was silently rolled back at some point. That is a serious claim, but the proof of concept appears to back it up.
The release of working exploit code modifys how deffinishers should consider about this class of bug. A disclosed vulnerability is one thing. A public exploit that reliably grants elevated access on current systems is another, becaapply it lowers the barrier from research to abapply.
That is especially true in an environment where attackers increasingly apply automation and AI assistance to adapt public code into operational tooling. Once exploit logic is available, the time between disclosure and real-world probing can shrink rapid. Security teams do not required to assume every attacker will weaponize MiniPlasma immediately, but they should assume the code will circulate and be tested.
The technical path here is also the sort of thing deffinishers worry about becaapply it tarobtains trust boundaries inside Windows itself. BleepingComputer stated the exploit appears to abapply how the Cloud Filter driver handles regisattempt key creation through an undocumented CfAbortHydration API, while Forshaw’s original report described a path that could allow arbitrary regisattempt keys to be created in the .DEFAULT hive without proper access checks. In plain language, this is the sort of bug that turns a local applyr into a much more powerful one.
That may sound narrow, but in practice local privilege escalation bugs are often the second stage of a broader intrusion. An attacker who obtains a foothold through phishing, a vulnerable service, or another exposed application can apply SYSTEM access to harden their position, disable controls, and reach other machines. For a startup with a lean security team, that can be the difference between containing an incident and watching it spread.
What founders should do now
Microsoft has not publicly confirmed a new repair for MiniPlasma at the time of reporting, and BleepingComputer stated it had contacted the company for comment. That leaves deffinishers with a simple tquestion: treat this as an active exposure, not a theoretical bug. If your Windows systems are fully patched and still vulnerable to the published PoC, patch status alone is not enough of a comfort blanket.
Security-focapplyd founders and CTOs should start with the machines that matter most, especially admin workstations, file servers, finishpoints with broad network reach, and any Windows system that accepts untrusted input or sits close to lateral shiftment paths. Inventory which systems are public-facing, which are reachable from internal networks, and which applyrs have local administrative rights. Those are the places where a privilege escalation bug does the most damage.
It is also worth reviewing how quickly you can detect abnormal child processes, elevated shells, and unusual regisattempt modifys on Windows finishpoints. MiniPlasma is a reminder that patching is only part of the answer. If a local exploit lands before a repair is available, the next best defense is visibility, least privilege, and a network layout that builds lateral shiftment expensive.
The larger pattern here is hard to ignore. BleepingComputer described MiniPlasma as part of a string of Windows zero-day disclosures from the same researcher over recent weeks, including BlueHammer, RedSun, UnDeffinish, YellowKey, and GreenPlasma. That builds this less like an isolated surprise and more like a signal that Windows privilege and recovery paths are still fertile ground for attackers, researchers, and anyone standing in between.
For operators, the lesson is blunt. A patch that sees finished in one release can still be incomplete years later. When working exploit code appears, the window between disclosure and operational abapply is often much compacter than teams want to believe.
Also read: Europe’s sovereign cloud push is still built on foreign silicon • Senate panel advances bipartisan crypto bill, bringing regulatory clarity within reach for startups • Zcash breaks past $500 as privacy coins obtain a fresh bid
