MiniPlasma – Windows Cloud Files Mini Filter Driver Zero-Day Bypasses 2020 Patch, Grants SYSTEM Access

Scope: Windows 11 and Windows Server 2022, 2025, 2026 (All Fully Patched Builds as of May 2026)

Severity: Red

Researcher Chaotic Eclipse has published a weaponized proof-of-concept for MiniPlasma, a zero-day privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) targeting the HsmOsBlockPlaceholderAccess routine, the same flaw originally reported by Google Project Zero researcher James Forshaw in 2020 and supposedly fixed as CVE-2020-17103, which appears to have either never been fully patched or been silently rolled back in newer builds. BleepingComputer and independent researcher Will Dormann both confirmed the exploit reliably opens a SYSTEM command shell on fully patched Windows 11 systems running the latest May 2026 Patch Tuesday updates. Given that every previous zero-day disclosure from this researcher including BlueHammer and RedSun was observed being exploited in the wild within days of publication, organizations should treat this as urgent: temporarily disable the Cloud Files Mini Filter Driver (sc config cldflt start= disabled, noting this breaks OneDrive Files On-Demand), restrict local access to trusted users, monitor for low-integrity processes spawning cmd.exe or PowerShell, and apply Microsoft's fix immediately upon release.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.