MiniPlasma Zero-Day: SYSTEM Access on Patched Windows

Michael Miller · 2026-05-18

A new Windows zero-day vulnerability, dubbed MiniPlasma, has hit the cybersecurity scene hard. Security researcher Chaotic Eclipse, who previously disclosed the YellowKey and GreenPlasma flaws, just dropped a proof-of-concept (PoC) for this one. It lets attackers grab SYSTEM-level privileges on fully patched Windows machines, which is a pretty big deal. So, what's the target here? It's a driver called "cldflt.sys," also known as the Windows Cloud Files Mini Filter Driver. This thing handles cloud file syncing, like what you see with OneDrive. But instead of just moving files around, a flaw in it can be exploited to elevate normal user rights all the way to the top—SYSTEM level. That means total control over the system, no questions asked. ### How MiniPlasma Works The exploit takes advantage of a bug in how the driver processes certain requests. By sending specially crafted data, an attacker can trick the driver into running code with higher privileges. It's not something you'd see in a casual attack—it needs a bit of setup. But once it's in play, the damage can be serious. - **Target:** Windows Cloud Files Mini Filter Driver (cldflt.sys) - **Impact:** SYSTEM privilege escalation from a standard user account - **Attack Vector:** Local access required, but no admin rights needed initially This isn't a remote exploit, so an attacker would need to be on the system already, maybe through a phishing email or a compromised app. But once they're in, MiniPlasma gives them the keys to the kingdom.  ### Why This Matters for Security Pros For anyone managing Windows environments, this is a wake-up call. Even with the latest patches from Microsoft, this flaw slips through. It shows that driver-level vulnerabilities can still be a blind spot. The fact that a PoC is public means attackers can study it and potentially create their own versions. > "MiniPlasma highlights how even fully patched systems aren't immune to privilege escalation when driver code has bugs." — A reminder for security teams to monitor driver behavior closely. ### What You Can Do Right Now While there's no official patch yet, there are steps to reduce risk: - Limit local access to systems through strict user permissions. - Monitor for unusual driver activity, especially around cldflt.sys. - Keep an eye on security advisories from Microsoft for a future fix. - Use endpoint detection tools that flag privilege escalation attempts. This isn't the first time Chaotic Eclipse has found something like this, and it probably won't be the last. The key is staying proactive. For now, assume that any system with cloud file syncing enabled could be a target. Stay sharp, and don't rely solely on patch management—defense in depth is your friend. ### Final Thoughts MiniPlasma is a reminder that cybersecurity is always a game of cat and mouse. Researchers find holes, vendors patch them, and attackers look for new ones. In this case, the hole is in a driver most people never think about. That's exactly where threats like to hide. Keep learning, keep testing, and never assume you're fully protected.