MiniPlasma Zero-Day: A Six-Year-Old Windows Flaw Returns to Grant SYSTEM Access on Fully Patched Machines

On May 13, 2026, a security researcher operating under the alias Nightmare-Eclipse dropped a weaponized proof-of-concept on GitHub that escalates any standard Windows user to SYSTEM — on machines running the latest May 2026 Patch Tuesday updates. The exploit, called MiniPlasma, targets the Windows Cloud Filter driver (cldflt.sys) behind OneDrive file synchronization, and it works because a patch Microsoft shipped in December 2020 for CVE-2020-17103 either never stuck or was silently rolled back.

How MiniPlasma Achieves SYSTEM Without a Single Missing Patch

The vulnerability resides in how cldflt.sys processes registry key creation through the undocumented CfAbortHydration API. Specifically, the HsmOsBlockPlaceholderAccess routine fails to enforce proper access controls when handling Cloud Filter placeholder files tied to OneDrive. An attacker running as a standard, unprivileged user can exploit this flaw to create arbitrary registry keys in the .DEFAULT user hive — a hive that maps directly to the SYSTEM account context.

Google Project Zero researcher James Forshaw originally reported this flaw to Microsoft in September 2020, and it was assigned CVE-2020-17103 with a CVSS score of 7.8. Microsoft released a fix in December 2020. Yet when Chaotic Eclipse (the research group behind Nightmare-Eclipse) tested Forshaw's original proof-of-concept code against current builds of Windows 11, it executed without modification. The group's conclusion: the fix was either incomplete or regressed during a subsequent Windows update.

BleepingComputer independently verified the exploit on a fully patched Windows 11 Pro system. After running MiniPlasma from a standard user account, a command prompt opened with full SYSTEM privileges — no UAC bypass needed, no additional exploit chain required.

Why Local Privilege Escalation Is More Dangerous Than It Sounds

MiniPlasma requires local code execution — it is not a remote exploit. That distinction leads some teams to deprioritize it. This is a mistake. Modern attack chains routinely achieve initial local execution through phishing payloads, weaponized Office documents, drive-by browser downloads, or stolen RDP credentials. Each of those footholds typically lands the attacker in a low-privilege user session. MiniPlasma turns that limited foothold into full machine ownership in under two seconds.

Once SYSTEM is achieved, the attacker can dump credentials from LSASS, disable endpoint detection and response agents, install persistent backdoors via the SYSTEM registry hive, pivot laterally using extracted Kerberos tickets, and exfiltrate data from any local store without triggering user-level monitoring. For ransomware operators, an LPE zero-day with a public PoC is a force multiplier: it eliminates the most unreliable step in their kill chain — the escalation from initial foothold to domain dominance.

The Patch Regression Problem in Enterprise Environments

MiniPlasma exposes a systemic risk that extends beyond a single CVE. Patch regression — where a previously fixed vulnerability reappears in later software versions — undermines the fundamental assumption that cumulative updates are additive. Organizations that confirmed CVE-2020-17103 as remediated in their vulnerability management platforms six years ago have no reason to retest it. Their scanners show it as resolved. Their compliance reports reflect a closed finding. Yet the vulnerability is live.

This scenario highlights the limitations of scan-and-patch cycles that rely solely on vendor advisories. Without continuous validation — red team exercises, breach-and-attack simulation, or periodic manual verification of critical fixes — regression vulnerabilities slip through undetected. Microsoft has acknowledged the report and stated it is investigating, but no timeline for a fix has been provided. The next scheduled Patch Tuesday is June 10, 2026, nearly a month after the PoC went public.

Impact on Saudi Financial Institutions Under SAMA and NCA Oversight

Saudi banks, insurance companies, and fintech operators running Windows endpoints face direct exposure to MiniPlasma. The SAMA Cyber Security Common Controls (CSCC) framework mandates timely patching under Control 3.3.6 (Patch Management), but this vulnerability has no patch to apply. CSCC Control 3.3.3 (Endpoint Protection) requires that endpoint detection capabilities prevent known exploitation techniques — yet behavioral detection for MiniPlasma depends on whether your EDR vendor has released detection signatures for cldflt.sys registry abuse patterns.

The NCA Essential Cybersecurity Controls (ECC) reinforce these requirements through ECC-1:2-3 (Vulnerability Management) and ECC-1:3-2 (Threat Management), which require organizations to monitor for emerging threats and implement compensating controls when vendor patches are unavailable. Institutions that rely solely on Windows Update for endpoint hardening are non-compliant with the spirit of both frameworks when facing an unpatched zero-day with a public exploit.

Under PDPL (Personal Data Protection Law), a breach enabled by MiniPlasma that exposes customer financial data triggers mandatory notification obligations and potential regulatory penalties — regardless of whether the organization was technically up to date on patches.

Recommended Mitigations Until Microsoft Delivers a Fix

1. Restrict cldflt.sys Loading: If OneDrive file sync is not operationally required on sensitive servers and workstations, disable the Cloud Filter driver via Group Policy or by setting the cldflt service start type to Disabled. This eliminates the attack surface entirely on machines that do not use OneDrive placeholder files.
2. Deploy Application Control Policies: Use Windows Defender Application Control (WDAC) or AppLocker to block execution of unsigned or unauthorized executables from user-writable directories. MiniPlasma requires running an executable — application allowlisting prevents the PoC from launching.
3. Harden Registry Monitoring: Configure your SIEM to alert on registry key creation events under HKU\.DEFAULT originating from non-SYSTEM processes. This behavioral indicator catches MiniPlasma and similar registry-based LPE techniques.
4. Elevate EDR Detection Rules: Confirm with your EDR vendor (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) that detection content for cldflt.sys abuse has been deployed. If not, create custom detection rules targeting CfAbortHydration API calls from unprivileged contexts.
5. Validate Previous Patch Regression: Run targeted vulnerability assessments against CVE-2020-17103 specifically. Do not rely on cumulative update status as evidence of remediation — test the actual exploit path.
6. Limit Lateral Movement Potential: Enforce network segmentation, disable unnecessary RDP access, and implement LAPS (Local Administrator Password Solution) to contain the blast radius if an endpoint is compromised through this chain.

Conclusion

MiniPlasma is a sobering reminder that patching is not a one-time event — it is a continuous assurance process. A vulnerability declared fixed in 2020 is exploitable in 2026 on fully updated systems. For organizations operating under SAMA and NCA regulatory scrutiny, the response cannot wait for Microsoft's next Patch Tuesday. Compensating controls must be deployed now, and patch validation processes must evolve to catch regression failures before attackers do.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and zero-day readiness evaluation tailored to Saudi financial institutions.