Windows MiniPlasma Zero-Day Grants SYSTEM Access on Fully Patched Systems — PoC Is Public

A weaponized proof-of-concept exploit called MiniPlasma is circulating on GitHub right now, granting SYSTEM-level privileges on fully patched Windows 11 Pro machines — including those running the May 2026 Patch Tuesday updates. For any organization running Windows endpoints or servers in a SAMA-regulated environment, this is an immediate patch-gap emergency that no scanner will flag.

What Is MiniPlasma and Why Does It Bypass Current Patches?

MiniPlasma targets a flaw in the cldflt.sys Cloud Filter driver, specifically the HsmOsBlockPlaceholderAccess routine responsible for managing cloud-synced file placeholders in Windows. Google Project Zero researcher James Forshaw originally reported this vulnerability to Microsoft in September 2020, and it was assigned CVE-2020-17103 with a fix shipped in December 2020. The problem: security researcher Nightmare-Eclipse demonstrated on May 13, 2026 that Microsoft either failed to fully remediate the flaw or silently rolled back the fix during subsequent updates. The result is a six-year-old vulnerability that is once again exploitable on every current Windows build.

How the Exploit Works: From Standard User to SYSTEM in Seconds

The attack requires only local access with a standard (non-admin) user account. The exploit manipulates the Cloud Filter driver's handling of placeholder file operations to trigger a privilege escalation condition. Once executed, it spawns a command prompt running with SYSTEM privileges — the highest privilege level on a Windows machine. No UAC bypass is needed, no admin credentials are required, and the entire chain completes in under three seconds. The public PoC on GitHub is fully weaponized and requires minimal modification to deploy in real attack scenarios.

MiniPlasma is not an isolated incident from this researcher. Nightmare-Eclipse, operating under the Chaotic Eclipse umbrella, has released multiple Windows zero-days over the past six weeks, including BlueHammer (CVE-2026-33825), a Windows Defender local privilege escalation flaw disclosed in April 2026. The researcher has publicly stated these releases are motivated by frustration with Microsoft's bug bounty handling and patch verification processes.

Why This Matters for Saudi Financial Institutions

Windows dominates the endpoint and server landscape across SAMA-regulated banks, insurance companies, and fintech firms in Saudi Arabia. The Cloud Filter driver (cldflt.sys) is loaded by default on any system using OneDrive, SharePoint sync, or Azure Files — services deeply embedded in Microsoft 365 deployments that most financial institutions rely on daily. SAMA CSCC Domain 3 (Technology Operations Management) explicitly requires organizations to maintain hardened endpoints with timely patching cycles. A zero-day with a public PoC and no available patch creates a compliance gap that cannot be closed through standard vulnerability management alone.

Under NCA ECC 2:2024, critical national infrastructure operators — which includes major financial institutions — must demonstrate continuous monitoring and rapid incident response capabilities. The fact that MiniPlasma bypasses all current patches means traditional scan-and-patch workflows will report these systems as compliant when they are demonstrably vulnerable. This is precisely the kind of blind spot that regulators scrutinize during audits.

Detection and Mitigation: Practical Steps You Can Take Now

1. Monitor cldflt.sys activity: Configure your EDR to alert on anomalous operations involving the Cloud Filter driver. Sysmon Event ID 1 (Process Creation) combined with Event ID 7 (Image Loaded) can flag unexpected processes loading cldflt.sys in non-standard contexts. Create detection rules for any process spawning cmd.exe or powershell.exe with SYSTEM privileges from a standard user session.
2. Restrict Cloud Filter driver loading: On endpoints where OneDrive sync and SharePoint file integration are not business-critical, consider disabling the Cloud Filter mini-filter driver through Group Policy or WDAC (Windows Defender Application Control) policies. This removes the attack surface entirely on those machines.
3. Enforce least-privilege access rigorously: MiniPlasma requires local access. Ensure that remote desktop, SSH, and VPN access to Windows endpoints follows zero-trust principles. Disable local logon for service accounts and restrict interactive logon rights to only those users who need physical or remote desktop access.
4. Deploy behavioral detection rules in your SOC: Your SIEM should flag any SYSTEM-level process creation that originates from a standard user context without a corresponding UAC elevation event. Correlate with Windows Security Event ID 4688 (new process creation) and look for token elevation type mismatches.
5. Activate Microsoft Defender Attack Surface Reduction (ASR) rules: While ASR rules do not directly block this exploit, enabling the full ASR rule set constrains post-exploitation movement. Specifically, rules blocking credential theft from LSASS and blocking process injection limit what an attacker can do after gaining SYSTEM access.
6. Track Microsoft's response timeline: Subscribe to Microsoft Security Response Center (MSRC) advisories and monitor for an out-of-band patch. Given the public PoC and media attention, Microsoft is under pressure to ship a fix outside the normal Patch Tuesday cycle.

The Bigger Picture: Patch Regression as a Systemic Risk

MiniPlasma exposes a troubling pattern in enterprise security: patch regression. Organizations invest heavily in vulnerability management programs designed around the assumption that once a CVE is patched, the risk is resolved. When vendors silently roll back or fail to maintain fixes across cumulative updates, the entire risk model breaks. This is not a theoretical concern — it is a documented, exploitable reality as of May 2026. SAMA CSCC and NCA ECC both require organizations to validate the effectiveness of their security controls, not merely their deployment. Compliance teams must evolve their approach from "did we apply the patch?" to "is the vulnerability actually remediated?"

Conclusion

The MiniPlasma zero-day is a stark reminder that patch status alone does not equal security. With a fully weaponized PoC circulating publicly, any attacker with local access to a Windows endpoint in your organization can escalate to SYSTEM privileges in seconds. Saudi financial institutions operating under SAMA and NCA oversight must implement compensating controls immediately, enhance behavioral detection in their SOC, and prepare for rapid deployment of a Microsoft out-of-band patch when it arrives.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your Windows endpoint hardening posture.