A researcher who calls himself Chaotic Eclipse (also known as Nightmare Eclipse) has published in GitHub a concept test explosion called MiniPlasma which, according to your tests and those of third parties, allows you to scale privileges to SYSTEM in Windows facilities that are, in appearance, completely patched.
Vulnerability affects Windows's Cloud Filter driver, identified as cldflt.sys, and exploits a routine linked to the process of "hydration" of files in the cloud through an undocumented API (CfAbortHydration). The technique allows you to create arbitrary entries in the .DEFAULT registration hive without correct access checks, which can serve as a vector to raise privileges from a standard user account to SYSTEM.
This failure had originally been reported by James Forshaw of Google Project Zero in 2020 and assigned as CVE-2020-17103 with a patch published by Microsoft in December of that year. The central point of the publication of MiniPlasma is that, according to Chaotic Eclipse, the problem persists despite that patch - either the correction never correctly reached all versions or was reversed - and the original 2020 PoC worked without changes over current systems.
Independent tests by media researchers and response teams confirm that MiniPlasma works in recent public versions of Windows 11 (including May 2026 patch editions), although not in the last building of the Insider channel at the time of the tests. This suggests that Microsoft may be testing internal mitigation or that exposure is dependent on specific combinations of versions and system components.
The real gravity of an escalation to SYSTEM cannot be underestimated: a local attacker with the ability to run code (e.g. by phishing that runs binaries or attachments, or by another local execution bug) could use MiniPlasma to take full control of the system, install persistent backdoors, deactivate detection and exfilter data. In business environments, this facilitates side movements and elevations to domains with critical consequences.
In addition to the technical impact, the form of disclosure raises an ethical debate. The author has said that he publishes exploits in protest of his experience with the supplier's reward program and vulnerability management, and in the previous weeks he has already released other PoC (BlueHammer, RedSun, YellowKey, GreenPlasma). Publishing functional code presses suppliers but also accelerates the exposure window for organizations that have not yet applied mitigation.
For safety managers and equipment, the immediate priority should be to reduce the risk area and increase detection capacity. Practical recommendations include deploying and ensuring a modern EDR / AV solution with behavior telemetry, activating and tuning Sysmon rules to record changes in the record and key creation in HKEY _ USERS\\ .DEFAULT, and looking for signs of processes that attempt to manipulate the cldflt.sys driver or make unusual calls related to cloud file hydration. IOC searches should focus on binaries from public repositories that match PoC and high shells that appear in standard user accounts.
As for provisional technical mitigation, options involving disabling drivers or system functions should be tested first in a laboratory, because they can break legitimate functionalities such as OneDrive Files On-Demand. It is preferable to apply compensatory controls: reduce the amount of accounts with local privileges, tighten execution policies (AppLocker or Windows Defender Application Control), restrict users' ability to install software and use blocking policies for Internet-downloaded devices. Maintain an inventory of endpoints and prioritize attention to machines with access to sensitive data or critical services.
If your organization detects potential exploitation, isolate the affected equipment, preserve the relevant login (Sysmon, EDR, Windows Event Logs) and proceed with a forensic analysis. Notify the security officers and, where appropriate, report the incident to Microsoft and the incident response teams using your company. For technical follow-up and historical context, see both the original Project Zero report and the CVE tab: Project Zero report and the official Microsoft entry in your update guide CVE-2020-17103.
It is also useful to review the author's own publication and the repository where the PoC uploaded to understand the operational risk and decide on specific measures to block indicators, for example by blocking downloads from that URL in proxy and filtering systems: GitHub's Nightmare-Eclipse profile. Do not execute PoC in productive networks without a controlled environment: doing so can cause damage or open legal liability.
In short, MiniPlasma recalls that the existence of a declared patch does not always amount to complete risk elimination. Organizations should combine patches, in-depth defence, system change visibility and rapid response procedures. The priority now is to identify potential holdings, mitigate impact on critical assets and monitor Microsoft official communications to apply final corrections as soon as they are published.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...