Windows MiniPlasma Zero-Day Vulnerability Allows SYSTEM Privilege Escalation
Researchers unveil the "MiniPlasma" Windows zero-day vulnerability, capable of granting admin privileges even on the latest Windows 11.
Proof-of-Concept for New Zero-Day “MiniPlasma” Released
Security researcher Chaotic Eclipse has publicly shared a proof-of-concept (PoC) exploiting a new Windows zero-day vulnerability named “MiniPlasma.” According to reports, this vulnerability could allow attackers to gain SYSTEM-level privileges—the highest level of access—on systems running the latest updates of Windows 11.
Revival of a Supposedly Fixed 2020 Vulnerability
What makes this vulnerability particularly noteworthy is its history. According to Chaotic Eclipse, MiniPlasma is identical to the issue identified as CVE-2020-17103, which was reported and supposedly patched by Microsoft in December 2020. However, the researcher claims that “the same issue reported by Google Project Zero to Microsoft remains unpatched.” It remains unclear whether the fix was never implemented or inadvertently reverted. Surprisingly, the PoC created by Google back in 2020 reportedly still functions without modification.
Validation by Experts
Following this revelation, tech media outlet BleepingComputer conducted its own tests. On a Windows 11 Pro system updated with the latest May 2026 Patch Tuesday updates, running the PoC from a standard user account successfully launched a command prompt with SYSTEM privileges. Vulnerability specialist Will Dormann also confirmed that the exploit works on the current public release of Windows 11. However, he noted that the vulnerability does not function on the latest Windows 11 Insider Preview Canary build, suggesting that Microsoft may already be working on an internal fix.
Technical Background and Implications
This vulnerability appears to exploit the Windows Cloud Filter driver’s undocumented “CfAbortHydration” API to create registry keys without proper access checks. As a result, attackers can inject arbitrary registry keys into the .DEFAULT user hive, potentially enabling privilege escalation. Gaining SYSTEM-level privileges essentially grants attackers full control over the system, posing severe security risks such as malware persistence and data theft. The fact that the same vulnerability identified and patched in 2020 has become exploitable again raises serious concerns about patch management reliability. Until Microsoft officially delivers a security update, users are advised to exercise heightened caution, particularly by avoiding the execution of suspicious files.
Frequently Asked Questions
- Which versions of Windows are affected by this vulnerability?
- The vulnerability has been confirmed to work on Windows 11 systems updated with the latest May 2026 Patch Tuesday updates. There is no official mention of its impact on Windows 10 or other versions at this time.
- Is Microsoft aware of this issue, and are there any fixes?
- As of the article’s publication, Microsoft has not issued an official statement. However, experts have verified that the vulnerability does not work on the latest Windows 11 Insider Preview builds, suggesting that Microsoft may be addressing the issue internally. Users are advised to keep their systems up-to-date and await official security updates from Microsoft.
Comments