New Windows 'MiniPlasma' Zero-Day Exploit Gives SYSTEM Access, PoC Released

A researcher known as Chaotic Eclipse has released a proof-of-concept exploit for a new Windows zero-day dubbed MiniPlasma, which BleepingComputer confirmed can grant SYSTEM privileges on fully patched Windows 11 systems. The researcher claims the bug is effectively a still-exploitable version of a 2020 flaw Microsoft said it had fixed. From the report: At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020. "After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," explains Chaotic Eclipse. "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes."

BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates. In our test, we used a standard user account, and after running the exploit, it opened a command prompt with SYSTEM privileges, as shown in the image [here]. Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11. However, he said that the flaw does not work in the latest Windows 11 Insider Preview Canary build.

The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. Forshaw's original report said that the flaw could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, potentially enabling privilege escalation. While Microsoft reports having fixed the bug as part of its December 2020 Microsoft Patch Tuesday, Chaotic Eclipse now claims the vulnerability can still be exploited.

Untrustworthy is an Understatement

[drinkypoo]

It's hard to prove that Microsoft cares less about security than other vendors, without a bunch of information from Microsoft and other vendors that we're not privy to — not even shareholders get to know the full risks involved in the products upon which their dividends depend. But it's easy to prove that they will happily lie about it.

Re:

[karmawarrior]

The Linux kernel has had multiple major vulns lately. I don't think you can put it down to Microsoft not caring about security so much as it's a hard job and getting harder with every line of bloat Microsoft adds.

I'm curious if anyone's found an OpenBSD vulnerability lately?

Re:

[karmawarrior]

I did. I didn't find anything. But Google is crap these days, so I'd rather ask experts. Have you used Google recently? It's even worse than it was 5 years ago, and it was pretty fucking close to useless back then for anything except getting celebrity news or " wikipedia".

Re:

[karmawarrior]

That should be "<subject> wikipedia" in that last bit, Slashdot ate the brackets.

Re:Untrustworthy is an Understatement

[gweihir]

So? The Linux kernel folks patched within hours or days. And these vulnerabilities are unlikely to crop up again. You are comparing apples and oranges. Also note that building a big, bloated KISS violation of a "kernel", as Microsoft does, certainly counts as "not caring about security". The only way to get good security in software, and even more so in kernels, is by simplicity. Microsoft certainly knows that. But raking in the dollars is far more important to them.

So ask yourself: Why are you defending Microsoft with invalid arguments?

Re:

[DarkOx]

They patched it rapidly only to have a very similar vulnerability affecting the very same components drop like a day later.

Arguably the patching effort lacked real analysis, that should have been triggered, and got pushed out with the first obvious fix applied. On the other hand leaving users with only the option to implement a workaround that disables ipsec while a full fix is investigated, is also a problem...

I am not criticizing anyone here, disclosure vs time to patch, and regression avoidance in compl

Re:

[karmawarrior]

> So? The Linux kernel folks patched within hours or days.

Thank God that's all that's necessary and means we immediately get the updates to our computers without even having to reboot. There are no middle men between those plucky fast acting Linux kernel folks and me too, which also helps. Unlike Windows where... oh wait, no, it's the other way around isn't it?

Seriously gweihir, I'm sure you have your heart in the right place, and I run GNU/Linux (Debian) myself, but stop with this fucking nonsense that

Re:

[gweihir]

I did comment on the _kernel_. I did not comment on Weyland (which IMO is a really bad idea and I will avoid it as long as possible). I certainly did not comment on the fuckups behind systemd, that clearly show there are prominent people that do not get KISS or IT security in the Linux space as well.

As to MS, yes they do not care or are fundamentally incompetent regarding security. They push defective patches. They have ridiculous vulnerabilities. They had their cloud hacked several times now, always due to

Re:

[ArsenneLupin]

I don't think you can put it down to Microsoft not caring about security so much as it's a hard job and getting harder with every line of bloat Microsoft adds.

If Bill Gates really gets that much of a hard-on about his insecure code, then why is it still called Microsoft? :-)

Well, at least there haven't been any Linux 0 days

[TheMiddleRoad]

None. None at all. 40m lines of code to maintain? Easy.

Point me to the Linux RCE, again?

[MIPSPro]

This and the Linux bugs are all LPEs. They aren't that big of a problem if you don't have untrusted users unless more advanced ways to pivot on them emerges. I'm not saying it's nothing or there haven't been recent problems in all operating systems. I'm just saying, recently, there has been only the one NFS exploit for FreeBSD that's an RCE.

My other observation is "Hey tough guys, where's the RCE bugs in OpenSSH?" Almost as if others have already been the shit out of them with static analysis tools and b

Re:

[TheMiddleRoad]

https://www.microsoft.com/en-u... [microsoft.com] Windows has poor security. Linux does too. AFAIK, my most secure device is my phone, which runs GrapheneOS. Software and hardware locked down together at last. Hardened OS so that, if there is an RCE, shit will still be hard to do.

Re:

[MIPSPro]

NetBSD is my OS of choice. It's not as hardened as OpenBSD, but I like it better for other reasons. No RCEs there, either. Linux and Windows probably should get the lion's share of attention, just because they are very popular. Like a 80's DJ, I expect the hits will just keep on comin'!

Re:Well, at least there haven't been any Linux 0 d

[T34L]

On Linux, there's at least an expectation that someone will try and fix the zero days after they're are discovered.

On Windows there's zero-days that've been published six years ago and just work with the then attached guide.

Re:

[TheMiddleRoad]

RTFA. It was either said to be fixed and wasn't or there was a rollback at some point. Shit happens. Big corp. Happens with open source too.

Re:Well, at least there haven't been any Linux 0 d

[organgtool]

The difference between Windows and Linux in this area is that Linux generally takes security flaws seriously, addresses them quickly, and leaves the fixes in place. With Microsoft, there's a common pattern to slow-roll the whole process: deny the flaw exists, then when it becomes undeniable, claim that it can't be exploited, then once a PoC is released, diminish the severity of the exploit. This process usually spans months and meanwhile Windows users are left with their pants around their ankles and puckered assholes.

It doesn't have to be this way. Vista cleaned up many of the worst architectural flaws in Windows and provided a much more secure foundation for Windows. All Microsoft has to do is prioritize security issues as soon as they're reported and they wouldn't consistently be reduced to a laughingstock in the industry. But I guess it wouldn't be Microsoft if they took security seriously.

Re:

[TheMiddleRoad]

Microsoft prioritizes the use of their machines over the security. This is a known thing. Trying to think of the truly horrid problems of the past several years, most of them are thanks to social engineering, not technical failures, where Linux wouldn't have helped. It's way, way easier to be given a password than to crack a machine remotely. Then there was the CrowdStrike incident. Of course CrowdStrike is all about security. Nothing is more secure than a computer that died. I'm sure that similar co

Re:

[gweihir]

What a dumb statement. If you are trying to defend the indefensible (Microsoft), try at least to sound a bit plausible.

win 11 source

[Elektroschock]

The only thing that can rescue Windows security is releasing the source code.

Re:

[Echoez]

Sorry, but two of the biggest stories in IT over the past few weeks are privilege escalations attacks within the Linux kernel such as Copy Fail and Dirty Frag. While it may be true that over the previous 25 years being open source has helped protect Linux, the surge in high quality AI analysis tools has HURT Linux in the past few months.

Open source != super secure, and the past few weeks have proven that.

Right now, I think it's fair to say that the weapons of offense are greater than the weapons of defens

Re:

[Slayer]

The difference is, that at least until now open source teams have taken full advantage of these responsible bug disclosures and actually fixed their damn bugs. That Microsoft Windows bug was also responsibly disclosed, and Microsoft fumbled it anyway. Now we have a six year old exploit, which is public and available [github.com] all over the place, and no mitigation.

I guess I'll stick with open source ...

Re:

[drinkypoo]

At this point, there is probably nothing that can rescue either Microsoft or Linux from the hordes at the wall. Both are performance-first operating systems. There's nothing surprising or unusual about that; this is the dominant paradigm. Windows NT made at least some attempt in the other direction until version 4, but then they prioritized UI latency over memory security. LLMs apparently don't have to be able to think to recognize patterns which indicate vulnerabilities. If having closed source is even sti

Re:

[organgtool]

Didn't China demand access to the Windows source code? I can only imagine how hard they have their LLMs working to find flaws in that. Things are likely to get much more interesting.

Re:

[gweihir]

I would think that China has that access. I know of several large corporations and one smaller state that have this access.

Re:

[sinkskinkshrieks]

Can confirm. I used to have a copy of Win NT 5.0 (Win 2k) from an edu research source.

Is this really OneDrive?

[CEC-P]

So the cloud filter driver is used by OneDrive and it's like a weird, stripped down, shitty clone of VSS. It lets you pretend files are there in the file system then download them in the background from the cloud. We disabled that functionality at my company because people at a job site didn't need to pull down a 500MB PDF blueprint that they thought was on their local computer, while tethered on a smartphone with 2 bars of signal. Anyway, they CLAIM that Dropbox uses this system too so it's not just OneDri

PoC is obsolete

[John Allsup]

PoC is Piece of Crap. They're getting lazy and skipping the hard 'does this really work if someone tries it for real' test. Fool yourself, you make a fool out of yourself. And we have better things to do with our time than trying to talk sense to a fool who thinks he's the President of the United States, and the best of the best of the...