The researcher known as Chaotic Eclipse recently published a proof-of-concept (PoC) that takes advantage of a vulnerability of climbing privileges on Windows, baptized as MiniPlasma, which supposedly allows an attacker to obtain SYSTEM privileges on apparently fully-parked machines. The failure is located in the file filter controller in the Windows cloud, cldflt.sys, in a routine called HsmOsBlockPlaceholderAccess; according to the author, the same root of the problem was originally reported by James Forshaw of Google Project Zero in 2020.
The technical history is relevant: in September 2020 Forshaw described a problem that Microsoft mitigated in December of that year under CVE-2020-17103, but Chaotic Eclipse claims that the original condition - a race condition in the mini-filter code - it remains present in practice and the original PoC works unchanged to produce a console with SYSTEM privileges. The nature of the race conditions makes the exploitation dependent on timmings and the environment, but precisely why they can be difficult to correct reliably and remain latent behind apparent patches; for general technical context you can consult Project Zero and Microsoft's warnings on vulnerabilities: Google Project Zero and Microsoft Security Response Center.
The practical implications are clear and serious: a local escalation to SYSTEM opens the door for total equipment control, persistence, backdoors installation and side advance in corporate networks. Several external researchers, including Will Dormann, indicated that the operation works reliably in Windows 11 systems with the updates of May 2026, although not in all branches of Insider; this suggests that the problem is not limited to a specific version and that its risk is significant in heterogeneous environments.
Historically it is not the first time that the cldflt.sys component appears in security notices: Microsoft also treated in December 2025 another climbing vulnerability in the same driver (CVE-2025-62221) identified as being exploited in the field. This antecedent highlights two points: on the one hand, that controllers related to cloud storage integration are attractive targets for their position in the system stack; on the other, that mitigation may require deep reviews and tests to avoid regressions or incomplete patches.
What can and should managers and security officials do right now? First of all, not to assume that "patching" means absence of risk: review official notices and apply all Microsoft recommended updates. In addition, it is appropriate to strengthen compensatory controls: to reduce local privileges to the minimum necessary, to apply implementation blocking policies and whitelisting, to set up EDR and IMS rules to detect unexpected processes running as NT AUTHORITY\\ SYSTEM (e.g. cmd.exe or powershell.exe initiated with that token), and to segment stations with access to critical data to limit the impact of a local escalation. Public bases such as NVD are available for central administration and search for CVE: NVD.
For end-users the recommendations are practical and simple: keep Windows up-to-date, avoid running unreliable source code with high privileges and consider, where feasible, deactivating cloud integration features that are not used (e.g. OneDrive On-Demand Files) until there is clarity on final patches; these measures reduce the attack surface to the affected component. Operating tests should be limited to controlled laboratory environments: running a production PoC can compromise systems and leave evidence difficult to clean.
Finally, it is important to remember that the publication of public PoC accelerates the need for coordinated responses: incident response teams must prioritize the detection of local steps, review historical telemetry in search of suspicious executions such as SYSTEM shells and prepare containment plans. Maintaining communication with suppliers, following the official Microsoft channel for updates and validating patches in test environments before massively deploying them are practices that are now more critical than ever.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...