Microsoft Windows has once again found itself in the cybersecurity spotlight, and not the flattering kind where everyone claps politely and says, "Great job securing the enterprise." This time the problem is a newly released proof-of-concept exploit called MiniPlasma, a Windows local privilege escalation zero-day that reportedly allows a standard user to gain SYSTEM-level access on fully patched Windows systems. In normal human terms, that means an attacker who already has basic access to a machine may be able to climb straight to the top of the privilege ladder, kick the administrator out of the chair, and start rearranging the furniture. BleepingComputer tested the exploit on a fully patched Windows 11 Pro system with the May 2026 Patch Tuesday updates installed and confirmed that it opened a command prompt running with SYSTEM privileges.

MiniPlasma was released by a researcher known online as Chaotic Eclipse, also referred to as Nightmare Eclipse, who published both source code and a compiled executable on GitHub. That detail matters because this is not some vague "trust me, bro" vulnerability rumor drifting around social media. A proof-of-concept is public, testing has been performed, and researchers are already discussing the implications. According to BleepingComputer, the flaw involves the Windows Cloud Filter driver, cldflt.sys, specifically the HsmOsBlockPlaceholderAccess routine. The awkward part, and there is always an awkward part, is that this issue appears connected to a vulnerability originally reported by Google Project Zero researcher James Forshaw back in September 2020. That vulnerability was assigned CVE-2020-17103 and was reportedly fixed by Microsoft in December 2020.

So here we are in 2026, staring at what may be a resurrected bug, an incomplete fix, or a fix that somehow wandered off into the woods and never came back. Chaotic Eclipse claims the same core issue is still exploitable, saying the original Google Project Zero proof-of-concept worked without modification. That is not exactly the kind of sentence security teams want to read while drinking their morning coffee. "Good news, everyone, the thing we thought was fixed five and a half years ago still works," is not a vulnerability-management strategy. It is a cry for help wearing a Microsoft Defender hoodie.

The exploit reportedly abuses how the Cloud Filter driver handles registry key creation through an undocumented API called CfAbortHydration. Forshaw's original report described a scenario where arbitrary registry keys could be created inside the .DEFAULT user hive without proper access checks. That matters because privilege escalation does not always require a Hollywood-style hacker furiously typing green text into a terminal. Sometimes the attack path is uglier and more boring: abuse a trusted Windows component, manipulate something the operating system already allows, and quietly step into SYSTEM privileges while everyone else is still arguing about whether the EDR alert is a false positive.

To make the situation even more interesting, vulnerability analyst Will Dormann reportedly confirmed that MiniPlasma works on the latest public version of Windows 11. However, he also noted that it does not appear to work on the latest Windows 11 Insider Preview Canary build. That could mean Microsoft already has a fix somewhere in the pipeline, or it could mean the Canary build changed something else that broke the exploit by accident. Either way, organizations running normal production Windows builds do not get to relax just because a bleeding-edge test build looks better. Enterprises do not run their hospitals, banks, law firms, and government agencies on "maybe this is fixed in Canary."

MiniPlasma also arrives during a larger disclosure storm around Windows zero-days from the same researcher. Earlier disclosures included BlueHammer, RedSun, and UnDefend, followed by YellowKey and GreenPlasma. BleepingComputer reported that BlueHammer, RedSun, and UnDefend were later spotted being exploited in attacks, which should remove any comforting fantasy that public proof-of-concept code simply sits online for academic discussion while attackers politely wait for Patch Tuesday. That is adorable, but no. Once exploit details are public, defenders and attackers read the same internet. One side writes detection logic. The other side writes tooling. Guess which one usually has fewer change-control meetings.

The most dangerous misconception here is that local privilege escalation bugs are somehow "less serious" because an attacker already needs access to the machine. That is technically true, in the same way that a burglar already needs to get inside the house before stealing the safe. It misses the point. Attack chains are built in stages. Initial access gets the attacker in. Privilege escalation turns that foothold into control. SYSTEM access can help attackers dump credentials, disable security tools, tamper with logs, move laterally, install persistence, and prepare ransomware deployment. In healthcare environments, that is not just an IT inconvenience. That is a patient safety issue wrapped in a Windows driver problem.

This is where hospital leadership, CFOs, and compliance committees need to pay attention. MiniPlasma is not just another technical headline for security people to share on LinkedIn while pretending they were not already doom-scrolling at 5:30 in the morning. It is another reminder that "fully patched" does not mean "secure." It means "patched against the things the vendor has acknowledged, fixed, released, and your organization successfully deployed." That is a much narrower promise. A fully patched Windows system can still be vulnerable to a zero-day, a bypass, a misconfiguration, weak segmentation, overprivileged accounts, unmanaged scripts, forgotten services, bad monitoring, stale images, and that one server under someone's desk that everyone swears is "temporary." It has been temporary since 2017.

Security teams should respond without panic, but also without the usual corporate bedtime story that "we are monitoring the situation." Monitoring is not a strategy by itself. For MiniPlasma-style privilege escalation, the practical response should include tightening least privilege, watching for unusual privilege transitions, reviewing local administrator exposure, increasing scrutiny around suspicious child processes and SYSTEM-level command shells, validating EDR behavior, and making sure endpoint telemetry is actually being collected and reviewed. Organizations should also pay close attention to Microsoft guidance when it arrives, because as of the BleepingComputer report, Microsoft had been contacted but had not yet provided a public response to that article.

The larger lesson is uncomfortable but necessary: native Windows components are not automatically safe simply because they are signed, trusted, and shipped by Microsoft. Attackers love trusted components because defenders love ignoring them. A malicious binary screams for attention. A legitimate Windows driver doing something strange often gets shrugged off as "normal operating system behavior," which is exactly the kind of phrase that shows up in post-incident reports right before the expensive part. ThreatLocker made this point well in its analysis of related Windows zero-days, noting that trusted native components such as WinRE and CTFMON can become part of the attack surface when they are allowed to touch sensitive areas of the system.

MiniPlasma is not the end of Windows security. It is not proof that every Microsoft system should be thrown into a volcano while the Linux crowd forms a smug drum circle. But it is one more reminder that security programs built entirely around patching, antivirus, and hope are living dangerously. Patch management matters. Vulnerability management matters. But zero-days expose the gap between what you think your controls do and what they actually do when the vendor has no fix yet. That gap is where attackers make money.

For healthcare, government, and enterprise environments, the message is painfully simple: assume privilege escalation will happen eventually and build controls that limit the blast radius. Segment aggressively. Restrict local admin rights. Monitor identity abuse. Validate endpoint controls. Test your detection logic. Harden recovery paths. Keep incident response playbooks current. And, for the love of uptime, stop treating "fully patched" like a magic spell. It is not a force field. It is paperwork with better branding.

MiniPlasma may be small by name, but the lesson is not. A normal user becoming SYSTEM on a fully patched Windows machine is the kind of thing that should make every security leader lean forward a little. Not panic. Not perform theater. Just pay attention. Because attackers do not need perfection. They need one overlooked path, one stale assumption, one trusted component behaving badly.

And Windows, bless its complicated little heart, keeps giving them material.

If this article was beneficial in any way, please consider: · Giving it a clap · Follow & subscribe for more Cyber Security Content · Support: https://buymeacoffee.com/saltinehacy