**Chaotic Eclipse**, the security researcher known for recently disclosing Windows flaws like YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw. This vulnerability enables attackers to obtain SYSTEM privileges on fully patched Windows systems. ### MiniPlasma: Deep Dive into the Vulnerability The vulnerability, codenamed **MiniPlasma**, impacts "cldflt.sys," the **Windows** Cloud Files Mini Filter Driver. The issue resides within a routine named "HsmOsBlockPlaceholderAccess." It was originally reported to **Microsoft** by **Google Project Zero** researcher James Forshaw in September 2020. ### A Patch That Wasn't? While it was believed that **Microsoft** addressed the shortcoming in December 2020 as part of **CVE-2020-17103**, Chaotic Eclipse claims that further investigation revealed the "exact same issue [...] is actually still present, unpatched." "I'm unsure if **Microsoft** just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by **Google** worked without any changes," the researcher stated. "To highlight this issue, I weaponized the original PoC to spawn a SYSTEM shell. It seems to work reliably in my machines but success rate may vary since it's a race condition." The researcher suggests that all **Windows** versions are likely affected by this vulnerability. ### Real-World Impact Confirmed Security researcher Will Dormann confirmed on Mastodon that MiniPlasma "reliably" opens a "cmd.exe" prompt with SYSTEM privileges on **Windows 11** systems running the latest May 2026 updates. However, Dormann noted that it doesn't seem to work on the latest Insider Preview Canary **Windows 11** builds. ### History of cldflt.sys Vulnerabilities In December 2025, **Microsoft** addressed another privilege escalation flaw in the same component (**CVE-2025-62221**, CVSS score: 7.8), which they reported as being exploited by unknown threat actors.