CHAOTIC Eclipse has released a PoC for a Windows privilege escalation flaw codenamed MiniPlasma, which targets cldflt[.]sys, the Windows Cloud Files Mini Filter Driver, in a routine called HsmOsBlockPlaceholderAccess and can grant attackers SYSTEM privileges on patched systems.
It was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020, and although it was assumed fixed in December 2020 as part of CVE-2020-17103, Chaotic Eclipse says the exact same issue remains unpatched. The researcher described weaponising the PoC to spawn a SYSTEM shell, noting the technique appears to work reliably on their machines, though success may vary due to race conditions, and that all Windows versions are likely affected.
In the discussion on Mastodon, security researcher Will Dormann said MiniPlasma works reliably to open a cmd[.]exe prompt with SYSTEM privileges on Windows 11 systems running the latest May 2026 updates, with caveats for the latest Insider Preview Canary build. The article also recalls that Microsoft addressed another privilege escalation flaw in the same component in December 2025 (CVE-2025-62221, CVSS 7.8). According to Google Project Zero.