A new Windows flaw called MiniPlasma has turned an old fix into a fresh headache for security teams. A working proof of concept now lets a standard user jump to SYSTEM on affected machines, which changes this from a research note into an active patching problem.
For startups and enterprises that run Windows infrastructure, that matters immediately. SYSTEM access is the kind of foothold that can be used to install software, alter files, tamper with security tools, and move sideways across a network with very little resistance.
MiniPlasma is the latest disclosure from a researcher known as Chaotic Eclipse, also called Nightmare Eclipse, and it centers on Windows Cloud Filter driver code tied to cldflt.sys. According to BleepingComputer, the exploit was released with source code and a compiled executable, and it worked on a fully patched Windows 11 Pro machine running Microsoft's May 2026 updates. Will Dormann, a principal vulnerability analyst at Tharros, also confirmed that the exploit worked on the latest public Windows 11 build, although not on the newest Insider Canary build.
The uncomfortable detail is that the underlying issue is not new. The bug was originally reported by Google Project Zero researcher James Forshaw in September 2020, assigned CVE-2020-17103, and Microsoft said it fixed it in December 2020. BleepingComputer reported that the researcher now believes the exact same flaw is still present, or that the original patch was silently rolled back at some point. That is a serious claim, but the proof of concept appears to back it up.
The release of working exploit code changes how defenders should think about this class of bug. A disclosed vulnerability is one thing. A public exploit that reliably grants elevated access on current systems is another, because it lowers the barrier from research to abuse.
That is especially true in an environment where attackers increasingly use automation and AI assistance to adapt public code into operational tooling. Once exploit logic is available, the time between disclosure and real-world probing can shrink fast. Security teams do not need to assume every attacker will weaponize MiniPlasma immediately, but they should assume the code will circulate and be tested.
The technical path here is also the sort of thing defenders worry about because it targets trust boundaries inside Windows itself. BleepingComputer said the exploit appears to abuse how the Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API, while Forshaw's original report described a path that could allow arbitrary registry keys to be created in the .DEFAULT hive without proper access checks. In plain language, this is the sort of bug that turns a local user into a much more powerful one.
That may sound narrow, but in practice local privilege escalation bugs are often the second stage of a broader intrusion. An attacker who gets a foothold through phishing, a vulnerable service, or another exposed application can use SYSTEM access to harden their position, disable controls, and reach other machines. For a startup with a lean security team, that can be the difference between containing an incident and watching it spread.
What founders should do now
Microsoft has not publicly confirmed a new fix for MiniPlasma at the time of reporting, and BleepingComputer said it had contacted the company for comment. That leaves defenders with a simple task: treat this as an active exposure, not a theoretical bug. If your Windows systems are fully patched and still vulnerable to the published PoC, patch status alone is not enough of a comfort blanket.
Security-focused founders and CTOs should start with the machines that matter most, especially admin workstations, file servers, endpoints with broad network reach, and any Windows system that accepts untrusted input or sits close to lateral movement paths. Inventory which systems are public-facing, which are reachable from internal networks, and which users have local administrative rights. Those are the places where a privilege escalation bug does the most damage.
It is also worth reviewing how quickly you can detect abnormal child processes, elevated shells, and unusual registry changes on Windows endpoints. MiniPlasma is a reminder that patching is only part of the answer. If a local exploit lands before a fix is available, the next best defense is visibility, least privilege, and a network layout that makes lateral movement expensive.
The larger pattern here is hard to ignore. BleepingComputer described MiniPlasma as part of a string of Windows zero-day disclosures from the same researcher over recent weeks, including BlueHammer, RedSun, UnDefend, YellowKey, and GreenPlasma. That makes this less like an isolated surprise and more like a signal that Windows privilege and recovery paths are still fertile ground for attackers, researchers, and anyone standing in between.
For operators, the lesson is blunt. A patch that looks finished in one release can still be incomplete years later. When working exploit code appears, the window between disclosure and operational abuse is often much smaller than teams want to believe.
Also read: Europe's sovereign cloud push is still built on foreign silicon • Senate panel advances bipartisan crypto bill, bringing regulatory clarity within reach for startups • Zcash breaks past $500 as privacy coins get a fresh bid
