Executive Summary
On May 17, 2026, cybersecurity researcher Chaotic Eclipse released a proof-of-concept exploit named 'MiniPlasma' that enables attackers to gain SYSTEM privileges on fully patched Windows systems. This exploit targets a vulnerability in the 'cldflt.sys' Cloud Filter driver, specifically the 'HsmOsBlockPlaceholderAccess' routine, which was initially reported in 2020 as CVE-2020-17103 and believed to have been patched in December 2020. However, the researcher discovered that the vulnerability remains exploitable, allowing for privilege escalation attacks.
The release of this exploit underscores the critical importance of thorough patch validation and continuous security assessments. Organizations must remain vigilant, as previously addressed vulnerabilities can resurface, posing significant security risks. This incident highlights the necessity for robust vulnerability management practices to ensure the effectiveness of security patches.
Why This Matters Now
The 'MiniPlasma' exploit demonstrates that vulnerabilities thought to be patched can still be exploited, emphasizing the need for organizations to reassess their security measures and validate the effectiveness of applied patches to prevent potential privilege escalation attacks.
Attack Path Analysis
An attacker exploited the 'MiniPlasma' zero-day vulnerability in the Windows Cloud Filter driver to gain SYSTEM privileges. After escalating privileges, the attacker moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the 'MiniPlasma' zero-day vulnerability in the Windows Cloud Filter driver to gain SYSTEM privileges.
Related CVEs
CVE-2020-17103
CVSS 7An elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver allows attackers to gain SYSTEM privileges.
Affected Products:
Microsoft Windows 10 – 1803, 1809, 1903, 1909, 2004, 20H2
Microsoft Windows Server – 2016, 2019
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploitation for Privilege Escalation
Windows Service
LSASS Driver
Bypass User Account Control
Registry Run Keys / Startup Folder
Winlogon Helper DLL
Time Providers
Authentication Package
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong identity and access management controls.
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Windows privilege escalation zero-day enables SYSTEM access on endpoints, threatening customer data protection and regulatory compliance requirements under financial regulations.
Health Care / Life Sciences
MiniPlasma exploit compromises Windows workstations handling patient records, risking HIPAA violations and unauthorized access to sensitive healthcare information systems.
Government Administration
Zero-day privilege escalation vulnerability exposes government systems to unauthorized SYSTEM-level access, compromising sensitive data and critical infrastructure operations.
Financial Services
Unpatched Windows Cloud Filter driver vulnerability allows attackers to gain elevated privileges, threatening transaction systems and client financial data security.
Sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC releasedhttps://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/Verified
- CVE-2020-17103 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2020-17103Verified
- Microsoft Security Update Guide - CVE-2020-17103https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17103Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally, establish command and control channels, and exfiltrate data, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial exploitation of a zero-day vulnerability, it could likely limit the attacker's subsequent actions by enforcing strict segmentation and access controls.
Control: Zero Trust Segmentation
Mitigation: Even with elevated privileges, the attacker would likely find their access scope limited, reducing the potential for further exploitation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, limiting access to additional systems.
Control: Multicloud Visibility & Control
Mitigation: Establishing command and control channels would likely be more challenging, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts would likely be detected and blocked, reducing the risk of data loss.
Operational disruption would likely be minimized, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- System Administration
- User Account Management
Estimated downtime: N/A
Estimated loss: N/A
Potential unauthorized access to system-level operations and sensitive data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement opportunities.
- • Deploy East-West Traffic Security to monitor and control internal traffic flows.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Apply Inline IPS (Suricata) to detect and block known exploit patterns.
