Threat Bulletin: New Windows “MiniPlasma” Zero-Day Enables SYSTEM Privilege Escalation on Fully Patched Hosts
22 May 2026 // 6 Min Read
Overview
A newly disclosed Windows zero-day vulnerability known as MiniPlasma is generating significant concern across the cyber security community following the public release of weaponised exploit code capable of granting attackers full NT AUTHORITY\SYSTEM privileges on fully patched Windows systems.
The exploit targets the Windows Cloud Filter driver (cldflt.sys), a core Windows component used by cloud synchronisation services such as Microsoft OneDrive.
Researchers claim the vulnerability stems from an incomplete or ineffective fix originally issued by Microsoft in 2020 under CVE-2020-17103, meaning systems believed to be protected may still remain vulnerable.
Unlike remote exploits that require direct internet exposure, MiniPlasma is a local privilege escalation (LPE) vulnerability. This means attackers first need some level of access to a system – such as through phishing, malware, stolen credentials, or an existing foothold – before using the exploit to elevate privileges and take full control of the machine.
The public availability of reliable proof-of-concept (PoC) exploit code significantly increases the likelihood of rapid adoption by ransomware groups, commodity malware operators, and state-aligned threat actors.
What is MiniPlasma?
MiniPlasma is a privilege escalation exploit that abuses a flaw within the Windows Cloud Filter driver.
In simple terms, it allows an attacker with basic user-level access to trick Windows into granting them the highest possible privileges on the system.
Once successful, the attacker effectively gains:
Full administrative control
Access to sensitive system processes
The ability to disable security tooling
The capability to deploy ransomware or persistence mechanisms
The exploit reportedly works reliably on modern multi-core Windows systems without requiring administrator rights beforehand.
How the Vulnerability Works
The attacThe flaw exists within a function called:
HsmOsBlockPlaceholderAccess
inside the cldflt.sys driver.
According to researchers, the vulnerable code improperly handles registry access permissions during certain operations involving the .DEFAULT user hive.
This allows attackers to:
Bypass normal registry restrictions
Manipulate registry keys
Abuse thread impersonation behaviour
Escalate privileges from a standard user account to SYSTEM
The exploit also abuses:
token manipulation,
race conditions,
and Windows impersonation mechanisms
to achieve privilege escalation.
Once exploited successfully, the PoC launches a SYSTEM-level command shell on the target device.
Why This Matters
This attack is particularly concerning because it bypasses many of the controls organisations rely on to Privilege escalation vulnerabilities are among the most dangerous exploit categories because they allow attackers to turn limited access into full system compromise.
MiniPlasma is particularly concerning because:
Public exploit code is already available
No confirmed effective patch currently exists
The vulnerable component is widely deployed
Fully patched systems may still be exploitable
This dramatically lowers the barrier for attackers following initial compromise.
In practice, a phishing attack or malware infection that would normally have limited permissions could quickly escalate into:
Ransomware deployment
Full endpoint compromise
Credential dumping
EDR tampering
Lateral movement
Potential Impact
Attackers successfully exploiting MiniPlasma may be able to:
Dump credentials from LSASS
Disable or tamper with EDR tooling
Establish persistence
Conduct lateral movement
Deploy ransomware
Manipulate security controls
Maintain long-term access to compromised systems
For organisations already facing phishing, malware, or identity-based attacks, this type of privilege escalation exploit can significantly increase the impact of a compromise.
Detection & Monitoring Recommendations
Security teams should monitor for:
Suspicious Privilege Escalation Activity
Unexpected cmd.exe or powershell.exe instances running as SYSTEM
Standard user accounts suddenly spawning privileged processes
Unusual token impersonation activity
Registry & Cloud Filter Anomalies
Registry modifications involving:
HKEY_USERS\.DEFAULT
Abnormal access involving:
cldflt.sys
OneDrive-related processes
Cloud Filter driver activity
Post-Compromise Indicators
Unexpected privilege escalation chains
EDR tampering attempts
Suspicious SYSTEM-level shells
Unusual registry handle activity
Recommended Actions
Immediate Actions
Organisations should:
Closely monitor Microsoft advisories for remediation guidance
Restrict execution of untrusted binaries and scripts
Enforce least-privilege controls
Enable EDR tamper protection
Apply application control policies such as:
AppLocker
Windows Defender Application Control (WDAC)
Threat Hunting Priorities
Security teams should hunt for:
SYSTEM shells spawned from low-privileged sessions
Suspicious registry modifications
Token impersonation behaviour
Cloud Filter process anomalies
Signs of EDR tampering or privilege abuse
Longer-Term Measures
Organisations should:
Improve visibility into privilege escalation behaviour
Validate EDR detection coverage for token manipulation attacks
Conduct tabletop exercises for post-compromise escalation scenarios
Reduce unnecessary local administrator access across endpoints
Strategic Context
MiniPlasma reflects a broader trend in modern cyber operations where attackers increasingly rely on:
post-compromise privilege escalation,
publicly available offensive tooling,
and abuse of legitimate operating system functionality.
The incident also highlights growing concerns around:
incomplete patching,
silent patch regressions,
and the shrinking timeline between disclosure and active exploitation.
As cloud-integrated Windows components become more deeply embedded across enterprise environments, vulnerabilities affecting these systems may provide attackers with increasingly valuable pathways to full compromise.
Analyst Assessment
MiniPlasma represents a high-risk Windows privilege escalation vulnerability due to the combination of:
potential SYSTEM-level compromise,
public exploit availability,
lack of a confirmed effective patch,
and widespread exposure across enterprise Windows environments.
The exploit significantly increases the operational risk associated with phishing attacks, malware infections, and low-level compromises by allowing attackers to rapidly escalate privileges and bypass security controls.
For SOC teams, this vulnerability should be treated as a credible near-term operational threat, particularly in environments where attackers may already possess:
user-level access,
remote shells,
phished credentials,
or existing malware footholds.
Priority should be placed on:
enhanced endpoint monitoring,
detection engineering,
and rapid response readiness until Microsoft releases a verified remediation.
How NormCyber MDR Helps Detect Low-Visibility Attacks
Threats like MiniPlasma demonstrate why organisations need visibility beyond traditional malware detection. NormCyber’s Managed Detection and Response (MDR) service provides continuous monitoring and expert-led threat hunting designed to identify suspicious privilege escalation activity before attackers can establish full control of an environment.
By correlating endpoint telemetry, identity events, registry activity, and behavioural indicators, our SOC analysts can detect signs of SYSTEM-level compromise, token manipulation, EDR tampering, and unusual process execution associated with modern post-compromise attacks. As ransomware groups and advanced threat actors increasingly abuse legitimate Windows functionality to evade traditional controls, NormCyber MDR helps organisations improve detection coverage, accelerate incident response, and reduce the risk of widespread operational impact.
