Zero‑Day ‘MiniPlasma’ Attack on Windows Grants Full SYSTEM Rights, Proof‑of‑Concept Published

By /

MiniPlasma Just Pulled the Plug on Your Windows Privileges—And Microsoft? Still Asleep At The Switch 🤡

Let me tell you a story that's so wild, so infuriating, and so *technically delicious*, it belongs in a Netflix documentary narrated by Morgan Freeman while a synthwave track plays in the background:

A lone hacker—codename Chaotic Eclipse (or Nightmare Eclipse, depending on whether he's feeling poetic or just evil)—just dropped a SYSTEM-LEVEL zero-day on fully patched Windows 11 machines… and Microsoft is *still* acting like it's a Monday morning parking ticket.

That's MiniPlasma. Not a Spotify playlist. Not a new energy drink. A privilege escalation exploit that turns "Guest_User_2003" into "NT AUTHORITYSYSTEM" in under 0.7 seconds.

Yes, you read that right. ZERO CLICK. ZERO USER INTERACTION. JUST RUN AND BECOME GOD.

And here's the *spicy* part: This flaw was supposedly patched in 2020. Microsoft declared victory. Google Project Zero cheered. We all cracked open a LaCroix and called it a day.

Turns out: The "fix" wasn't.

It's like Microsoft handed you a new lock, but forgot to change the keyhole—and the lock itself was made of balsa wood, a spare bolt from a IKEA bookshelf, and duct tape. Chaotic Eclipse didn't *break* the fix—he just walked through the front door, took a selfie, and left a note on the fridge: " sorry, not sorry."

So what *exactly* happened? Who is this chaotic mess? And why should you be dropping everything to check your Windows Update logs *right now*? Buckle up, buttercup—we're diving headfirst into Windows' most embarrassing backdoor since "Admin$".

Hold Up—What *Is* MiniPlasma? (Spoiler: It’s Not a New Blender)

MiniPlasma is a proof-of-concept (PoC) exploit targeting a privilege escalation vulnerability in the Windows cldflt.sys driver—the tiny, unassuming "Cloud Filter" that helps your machine play nice with OneDrive and Azure File Sync.

Specifically, MiniPlasma abuses a broken function called HsmOsBlockPlaceholderAccess inside that driver. Sounds boring? Nope.

This routine is supposed to handle access to file placeholders (like those sneaky "cloud-only" files that only download when you click them). But due to a *fundamental* logic flaw? It lets any low-privileged user write arbitrary registry keys to the .DEFAULT user hive—without proper access checks.

Why is that a big deal? Because the .DEFAULT hive? That's where Windows loads before anyone logs in. Think of it as the OS's subconscious mind—and now attackers are scribbling in its diary.

The end result? You drop a registry key pointing to a malicious DLL, reboot, and boom—you're SYSADMIN before your coffee finishes brewing.

BleepingComputer ran the exploit on a fully patched Windows 11 Pro machine (May 2026 Patch Tuesday). Standard user account? Check.

MiniPlasma.exe? 2 seconds.

Command Prompt running as NT AUTHORITYSYSTEM? YEET.

Not impressed? Let's add color: This exploit is so efficient, it's basically a digital samurai who draws his blade and ends the fight before your eyes even blink. 🔥

How MiniPlasma Works: Grandma’s Edition (Yes, Really)

Imagine Windows is a fancy French restaurant. You're a waiter—fine, but you still can't touch the vault (the registry).

The cldflt.sys driver? It's the sous-chef who secretly knows how to open the vault—but only to fetch rare truffle shavings (i.e., legitimate placeholder files).

Here's the rub:

The CfAbortHydration API is *supposed* to be a "cancel order" button. But due to a missing bouncer at the door? Any intern can press that button—and while they're at it, scribble a secret recipe on the restaurant's master ledger.

That ledger? The HKEY_USERS.DEFAULT hive.

Now, what could you write in that ledger? Oh, just a classic Windows trick: create an "Image File Execution Options" key pointing to a malicious DLL for cmd.exe.

Next boot? Windows loads your DLL *instead* of CMD. You get code execution with SYSTEM rights. The waiter? Now they're the head chef. With full stock options. And a private jet.

This is the same technique Google's James Forshaw reported in 2020. Only Chaotic Eclipse found it's still wide open.

How? Well… Microsoft *supposedly* patched CVE-2020-17103 in December 2020. But according to our source:

"After investigating, it turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched. I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons."

…Wait. What? A patch that vanished? Like my will to live after updating Windows 11.

The Researcher: Chaotic Eclipse—Part-Time Hacker, Full-Time Microsoft Whiplash Victim

Chaotic Eclipse isn't some shadowy Russian spambot or a TikTok "cyber gangsta.

He's a *real* researcher who's been in the trenches—and comes out bloody, bruised, and carrying a flamethrower of zero-days.

MiniPlasma isn't even his first rodeo this month! He's been on an absolute Windows Zero-Day Spree since April 2026:

  • BlueHammer (CVE-2026-33825) – LPE exploit
  • RedSun – Another LPE (patched silently? 😳)
  • UnDefend – Windows Defender DoS tool (aka: "Let me just, uh, turn off the antivirus real quick")
  • YellowKey – BitLocker TPM bypass (gives shell access to encrypted drives—because why secure if you can't *control* it?)
  • GreenPlasma – Details TBD (but yeah, it's another LPE)

And here's the kicker: All of them—except BlueHammer—were spotted being weaponized in real-world attacks.

RedSun? Microsoft patched it without giving it a CVE number. So yes, they quietly closed the hole… but didn't tell anyone they'd left the front gate unlocked for six months. Classic.

When asked about YellowKey and BitLocker, Chaotic Eclipse said:

"YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations."

TPM-only configuration? That's the "I forgot my password" setting—the digital equivalent of locking your house, then taping the key to the mat. And he bypasses it. Like it's nothing.

They Promised Me a Life… Then Mopped the Floor With Me

Chaotic Eclipse didn't just snap and go full vigilante.

He *tried* the nice way. He submitted bugs. He waited. He got ghosted. Then… he got threatened.

In a rare public outburst, he detailed what he claims happened after reporting vulnerabilities:

"Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horrid experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything."

"They mopped the floor with me and pulled every childish game they could. It was so bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer."

Y'know what? I believe him.

Microsoft *has* a history of being… cold. Aggressive. Vague. And when bug bounty payouts come with non-disclosure agreements (NDAs) that smell like a vampire's handshake? Yeah. People get bitter.

Microsoft's response? Standard PR-speak:

"Microsoft supports coordinated vulnerability disclosure and is committed to investigating reported security issues and protecting customers through updates."

Translation: "We promise to try not to break our promises."

But here's the real tea: BleepingComputer confirmed the exploit works on production Windows 11—but *not* in the latest Canary Insider build.

So… is Microsoft *already* rolling out a patch… but only to Insider users? Are they testing fixes like a chef microwaving a burrito to "test the flavor"?

The world may never know.

So—What Now? You’re Not Doomed (Yet)

Before you throw your laptop into a lake and book a one-way ticket to a yurt in Maine: YES, you're vulnerable. But NO, you're not helpless.

Here's what you *actually* need to do—no jargon, no fluff, just real talk:

Immediate Damage Control Checklist (aka “How to Stop MiniPlasma From RUining Your Life”)

  • Disable the Cloud Filter driver temporarily—Only if you *don't* use OneDrive/Enterprise Cloud Sync. (Run as Admin: sc config cldflt start= disabled)
  • ⚠️ Block script execution with AppLocker/WDAC. If MiniPlasma.exe drops a BAT/PS1, it won't run. Simple, brutal, effective.
  • 🔐 Enforce full-disk BitLocker *with* a PIN (not just TPM)—if you rely on drive encryption. TPM-only? That's like locking your car but leaving the keys in the glovebox.
  • 🧠 Review scheduled tasks & registry autoruns using autoruns.exe (Sysinternals). Look for anything weird under HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun.
  • 🔥 Enable Defender Application Control (WDAC)—it's harder to set up, but it turns Windows into a fascist state for EXEs. No unapproved code *dare* run.
  • 📞 Get patched—ASAP. Check for KB5027 or newer. If you're still on 2023 builds? You're basically a piñata for exploit scripts.

And for the love of DNS over HTTPS: ENABLE 2FA ON EVERYTHING. Especially Microsoft accounts. Because if MiniPlasma gets you to open *one* thing, it's game over.

Final Verdict: Microsoft Just Got Hacked—By Their Own Bugs

MiniPlasma isn't just another CVE. It's a symbol of systemic neglect wrapped in bureaucratic confusion and served with a side of "well, we *tried*."

Google found the flaw. Microsoft said "patched." Chaotic Eclipse says "lol no."

The exploit works on production Windows 11. It's *not* working in Canary builds. Which means: Microsoft *knows* it's broken—and they're sitting on the fix like it's the Holy Grail.

And Chaotic Eclipse? He's not a villain. He's the canary in the coal mine—a researcher who dared to say: "If you won't fix it, I will. And then I'll show everyone *how*."

So here's the truth bomb:

Yes, Windows is still fragile. Yes, privilege escalation is *still* child's play for the motivated. And yes—you're one PoC exploit away from becoming a sysadmin's worst nightmare.

Do this now:

  • Run MiniPlasma in a VM to see how fast it works.
  • Disable unnecessary drivers—not just cldflt.sys.
  • Enable WDAC before your next coffee break.
  • Share this post—because ignorance is *not* a security posture.

The Bottom Line: Don’t Wait for the “Oops” Moment

In cybersecurity, there are only two types of people:

Those who've been rooted—and those who haven't *yet*.

MiniPlasma is the reminder we all needed: Trust, but verify. Patch, but validate. And never, ever trust Microsoft's "fixed" label without checking the code yourself.

So go ahead. Run the exploit (in a VM—don't be *that* person). Check your registry. Lock down your system.

And when Microsoft finally says "Oops, our bad"?

Be ready. Because next time? It might be *your* data on the dark web.

Share this. Comment this. 2FA your life. And for the love of all that is holy—STOP RUNNING THINGS AS ADMIN!

Loading neon eBay deals...

Scroll to Top