A new Windows zero-day privilege escalation vulnerability called “MiniPlasma” has been identified in Windows systems. According to reports, the publicly released proof-of-concept (PoC) exploit allows attackers to obtain SYSTEM-level privileges on fully patched Windows devices.
It is noted that the flaw affects the “HsmOsBlockPlaceholderAccess” routine within the “cldflt.sys” Cloud Filter driver used in the Windows operating system. The issue was initially reported to Microsoft in September 2020. At the time, the vulnerability was assigned the identifier CVE-2020-17103 and was announced as being fixed as part of the “Patch Tuesday” updates released in December 2020.
Recent research indicates that Microsoft either did not fully remediate the issue or that the security fix applied at the time was later rolled back for unknown reasons. According to available information, the original PoC exploit remains functional without any modification.
The exploit abuses a weakness in the way the Windows Cloud Filter driver handles registry key creation through the undocumented “CfAbortHydration” API. The initial technical report noted that the flaw could allow arbitrary registry keys to be created in the “.DEFAULT” user hive without proper access checks, potentially enabling privilege escalation attacks.
“MiniPlasma” is considered part of a wider series of Windows zero-day vulnerabilities disclosed in recent weeks. In April, the “BlueHammer” privilege escalation flaw, tracked as CVE-2026-33825, as well as another vulnerability named “RedSun” and the “UnDefend” tool targeting Windows Defender operations, were also publicly disclosed.
In addition, two other exploit tools named “YellowKey” and “GreenPlasma” were reportedly released this month. “YellowKey” is described as a BitLocker bypass mechanism affecting TPM-only BitLocker configurations on Windows 11 and Windows Server 2022/2025 systems. It enables command-line access to unlocked drives.
Microsoft has previously stated that it supports coordinated vulnerability disclosure and continues to investigate reported security issues.
22 May 2026
21 May 2026
15 May 2026
14 May 2026
13 May 2026
12 May 2026
08 May 2026
07 May 2026
© 2011-2026 All rights reserved
