MiniPlasma Windows Zero-Day PoC Gives Local Users SYSTEM Access

Stephanie Adlam
Stephanie Adlam
3 Min Read
MiniPlasma Windows zero-day SYSTEM access editorial image

A public proof-of-concept called MiniPlasma claims to turn local Windows access into SYSTEM privileges by abusing the Cloud Files Mini Filter Driver, cldflt.sys. The author says the technique builds on CVE-2020-17103, but targets patched Windows behavior rather than an old unpatched install [1].

BleepingComputer reported that it tested the exploit on a fully patched Windows 11 24H2 system and obtained SYSTEM access [2]. That makes this worth attention even though it is not a remote drive-by bug. An attacker first needs local code execution, which usually means a malicious installer, a phished command, or another foothold that already put code on the machine.

Why Local SYSTEM Access Still Matters

Local privilege escalation is the step that can turn a limited infection into a machine-level compromise. For home users and small offices, the practical signal is simple: if a suspicious program ran on the PC, do not judge the incident only by whether the user account was an administrator. A successful LPE can move past that boundary and give malware control over services, security settings, and persistence locations.

The defensive priority is to reduce the chance that untrusted code gets that first local run. Microsoft has not assigned a fresh CVE for MiniPlasma at publication time, and the old CVE-2020-17103 advisory is not a fix path for this new PoC [3]. Until Microsoft responds, treat unexpected elevation, new services, driver-related errors, and security-tool tampering after a user-run download as stronger evidence than normal user-mode malware noise.

This fits a pattern Gridinsoft has covered before: attackers do not always need a remote exploit if they can convince a user to start the chain. Similar post-click risk appears in Windows SmartScreen exploitation used to spread Phemedrone Stealer and in our coverage of Microsoft Office preview risks. MiniPlasma adds a different pressure point: what happens after the first local execution succeeds.

References

  1. Nightmare-Eclipse, MiniPlasma proof-of-concept repository, May 2026. PoC
  2. BleepingComputer, “New Windows MiniPlasma zero-day exploit gives SYSTEM access,” May 18, 2026. Report
  3. Microsoft Security Response Center, CVE-2020-17103 Windows Cloud Files Mini Filter Driver elevation of privilege vulnerability. Advisory
MOVEit Transfer Fixes a New Critical Vulnerability
US Cyber ​​Command confirms cyberattacks against ransomware
Cryptocurrency Scam “Pig Butchering” Penetrated the Apple App Store and Google Play Store
Prometei botnet attacks vulnerable Microsoft Exchange servers
CallPhantom Scam Apps Reached 7.3M Google Play Installs
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article Anthropic Mythos macOS M5 kernel exploit research Anthropic Mythos Helped Build a macOS M5 Kernel Exploit
Next Article SHub macOS stealer fake login lures editorial illustration SHub macOS Stealer Uses Fake Login Lures to Harvest Data
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?