– A working Windows 11 privilege escalation exploit (MiniPlasma) grants SYSTEM on fully patched systems, including May 2026 Patch Tuesday.
– Exploit targets the Cloud Filter driver (cldflt.sys) via HsmOsBlockPlaceholderAccess, abusing registry key creation in the .DEFAULT hive and a race condition.
– This is a re-release/realization of a previously known CVE (CVE-2020-17103) with unclear patch status, and it works on standard user accounts on real hardware (not on the latest Canary build).
– The disclosure follows a pattern of Chaotic Eclipse releasing multiple LPEs, citing frustration with patch verification and CVE handling by Microsoft.
Chaotic Eclipse, a researcher known for their controversial disclosures, has released a working Windows privilege escalation exploit that grants SYSTEM access on fully patched Windows 11 machines, including those running the May 2026 Patch Tuesday update. The news has stirred debate about patch verification and disclosure practices, while also raising questions about the resilience of security controls in modern Windows builds. The report notes the exploit is named MiniPlasma and appears with both source code and a compiled executable on GitHub, and it has been validated by independent researchers on standard user accounts to yield a SYSTEM-level command prompt on a fresh Windows 11 Pro installation.
Different writing style paragraph
The flaw resides in the Windows Cloud Filter driver, cldflt.sys, specifically inside a routine known as HsmOsBlockPlaceholderAccess. This bug is not new and traces back to earlier disclosures; Google Project Zero researcher James Forshaw reported the same issue to Microsoft in September 2020, later assigned CVE-2020-17103 and reportedly patched in December of that year. Chaotic Eclipse reportedly ran Forshaw’s original PoC unmodified and claims it worked without modification. In their words, it remains unclear whether Microsoft never patched the issue or if a patch was silently rolled back for reasons unknown. The paragraph is careful about ambiguity while highlighting the historical context and ongoing concerns about patch effectiveness.
Third paragraph heading
The exploit leverages how the Cloud Filter driver handles registry key creation via an undocumented API, enabling a standard user to create arbitrary registry keys in the .DEFAULT user hive without the usual access checks. It relies on a race condition, so the success rate can vary, yet BleepingComputer’s tests on real hardware suggest it is reliable enough, with one notable exception: it does not work on the latest Windows 11 Insider Preview Canary build. This description underscores the practical variability of zero-day exploits and the challenges of reproducing results across different builds and environments.
Fourth paragraph heading
MiniPlasma is another Windows zero-day disclosure from Chaotic Eclipse in the past six weeks. The researcher began in April with BlueHammer, a Windows Defender local privilege escalation vulnerability that Microsoft patched on April 14 Patch Tuesday as CVE-2026-33825, shortly after it was publicly disclosed on April 3. The sequence continued with RedSun, a second Defender LPE that Microsoft reportedly fixed silently without assigning a CVE. UnDefend, a Defender denial-of-service tool that blocks security definition updates, followed, then YellowKey, a BitLocker bypass that unlocks encrypted drives via the WinRE recovery environment, and GreenPlasma, a CTFMON framework privilege escalation for which the researcher withheld part of the exploit code. Now, MiniPlasma.
Fifth paragraph heading
All three original exploits, BlueHammer, RedSun, and UnDefend, were confirmed as being exploited in real attacks by Huntress researchers shortly after public disclosure. The researcher explains their release motive as dissatisfaction with how Microsoft handles bug bounty reports and patch verification. While Microsoft has not commented specifically on MiniPlasma, the company previously stated to BleepingComputer that it “supports coordinated vulnerability disclosure” as a widely adopted industry practice. The piece reflects on the tension between disclosure, patching, and vendor response times, and hints at broader industry debates on vulnerability management.
