MiniPlasma Windows zero-day: working PoC gives SYSTEM on fully patched Windows 11 via cldflt.sys driver
A researcher who goes by Chaotic Eclipse has dropped working proof-of-concept code on GitHub for a Windows local privilege escalation that gives SYSTEM access on fully patched Windows 11 Pro and Windows Server 2025. The bug lives in the Cloud Filter driver cldflt.sys and is, the researcher says, the same flaw Google Project Zero reported to Microsoft as CVE-2020-17103 in 2020, which Microsoft said it fixed in December 2020. The original Google PoC works unmodified. May 2026 Patch Tuesday updates do not stop it. The same researcher has dropped several other Windows zero-days in recent weeks, all of which were quickly seen in real attacks.
- Check
- Inventory Windows 11 and Server 2022/2025 endpoints. Hunt SIEM for unexpected SYSTEM-context cmd.exe spawns or new processes launched from standard user sessions touching cldflt.sys.
- Affected
- Microsoft Windows 11 Pro and Windows Server 2025 with May 2026 Patch Tuesday updates applied. The researcher claims all Windows versions are likely affected.
- Fix
- No patch available. Block execution of the public MiniPlasma binary by hash in EDR. Tighten local user privileges and restrict admin sessions on multi-user endpoints until Microsoft ships a fix.