New Windows “MiniPlasma” Zero‑Day Lets Attackers Gain SYSTEM Access — PoC Released

May 18, 2026 Faeem BLOGS 0

Overview A newly disclosed Windows privilege escalation zero‑day, dubbed MiniPlasma, has surfaced with a public proof‑of‑concept (PoC) exploit that enables attackers to gain SYSTEM‑level privileges on fully patched Windows systems. The exploit, released by researcher Nightmare‑Eclipse on May 13 2026, targets the Cloud Filter driver (cldflt.sys) — specifically the HsmOsBlockPlaceholderAccess routine — originally reported by Google Project Zero’s James Forshaw in 2020.

Technical Breakdown

  • Root Cause: Improper handling of registry key creation in the .DEFAULT user hive due to missing OBJ_FORCE_ACCESS_CHECK flag.
  • Exploit Mechanism:
    • Exploits a race condition toggling between user and anonymous tokens.
    • Manipulates the RtlOpenCurrentUser function to open the .DEFAULT hive for writing.
    • Allows unauthorized registry key creation and privilege escalation.
  • Impact:
    • Works on all modern Windows versions.
    • Grants full SYSTEM‑level control from a standard user account.
    • Exploit verified to spawn a SYSTEM shell on multi‑core systems.

Enterprise Diagram

Below is a conceptual diagram illustrating how the MiniPlasma exploit chain operates within enterprise environments:

  • Risk Assessment
  • Affected Component: cldflt.sys — integral to OneDrive and other cloud‑sync services.
  • Threat Scope: Enterprise workstations, cloud‑connected endpoints, and hybrid environments.
  • Exploit Availability: Public PoC on GitHub with hundreds of stars, increasing weaponization risk.
  • Mitigation Status: No official patch yet; Microsoft expected to address it in the next Patch Tuesday cycle.

Defensive Guidance

  • Restrict registry access for non‑administrative users.
  • Monitor for race‑condition anomalies in registry operations.
  • Apply kernel driver integrity checks to detect unauthorized modifications.
  • Isolate cloud‑sync services until official patches are released.

Final Thoughts

The MiniPlasma zero‑day underscores how legacy vulnerabilities can resurface years later through silent patch regressions or overlooked code paths. Its exploitation of a race condition in a core Windows driver demonstrates the fragility of privilege boundaries in complex kernel components.

For enterprises, this incident reinforces the need for continuous kernel‑level monitoring, exploit surface reduction, and rapid patch adoption once fixes are available. In the age of public PoCs, time‑to‑patch is now the most critical metric for resilience.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.