Windows MiniPlasma Zero-Day (CVE-2026-33825): SYSTEM Privilege Escalation on Fully Patched Windows, PoC Publicly Released

nick

Windows MiniPlasma Zero-Day (CVE-2026-33825): SYSTEM Privilege Escalation on Fully Patched Windows, PoC Publicly Released

by

A zero-day privilege escalation vulnerability in the Windows Cloud Filter driver (cldflt.sys), tracked as CVE-2026-33825 and dubbed “MiniPlasma,” allows any local user or application to escalate to SYSTEM privileges on fully patched Windows systems. The vulnerability is a bypass of CVE-2020-17103 — a vulnerability originally reported by Google Project Zero researcher James Forshaw in September 2020 and supposedly fixed in December 2020. The proof-of-concept exploit, including source code and a compiled executable, has been publicly released on GitHub by researcher Chaotic Eclipse (Nightmare Eclipse), who claims Microsoft’s original patch was incomplete. No official patch is currently available.

What Is the Vulnerability?

CVE-2026-33825 is a local privilege escalation vulnerability in the cldflt.sys Cloud Filter driver, specifically in the HsmOsBlockPlaceholderAccess routine. The Cloud Filter driver is a core Windows kernel component that provides the file system synchronisation infrastructure used by OneDrive, SharePoint, and other cloud storage providers. It is present on all modern Windows versions — Windows 10, Windows 11, and Windows Server — as part of the operating system’s cloud file storage architecture.

The original vulnerability (CVE-2020-17103) was a heap-based buffer overflow in the same driver reported by James Forshaw of Google Project Zero in September 2020. Microsoft released a patch in December 2020. However, the researcher behind MiniPlasma discovered that the patch was incomplete — the underlying flaw in how the driver handles placeholder access operations was not fully addressed, and a different exploitation path through the same routine can achieve the same result: local privilege escalation from any user context to SYSTEM, the highest privilege level on Windows.

The researcher released both source code and a compiled executable on GitHub. This means the exploit requires no development skill — an attacker or malicious insider can simply download and run the provided binary to gain SYSTEM access on any unpatched Windows system.

  • CVSS v3.1 Score: 7.8 (High)
  • Attack Vector: Local (AV:L)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: Low (PR:L)
  • User Interaction: None (UI:N)
  • Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)

Which Versions Are Affected?

Fully patched versions of Windows are affected because the original CVE-2020-17103 fix did not fully remediate the underlying vulnerability:

  • Windows 10 — all versions with the Cloud Filter driver
  • Windows 11 — all versions with the Cloud Filter driver
  • Windows Server 2016, 2019, 2022, 2025 — all versions with the Cloud Filter driver

Essentially every modern Windows system is affected, even those with all current Windows Updates applied. The Cloud Filter driver (cldflt.sys) is present by default as part of the Windows cloud storage infrastructure.

Is It Being Exploited in the Wild?

No confirmed in-the-wild exploitation has been publicly reported at the time of writing. However, the PoC has been publicly released on GitHub as both source code and a compiled executable — meaning it can be immediately downloaded and used by anyone. The transition from “PoC released” to “active exploitation” for Windows local privilege escalation exploits is typically very short. The compiled executable eliminates the development barrier entirely. Organisations should assume that the exploit will be weaponised and integrated into commodity malware, ransomware toolkits, and red team frameworks within days. The vulnerability is also a bypass of a previously patched CVE, which means attackers who studied the original CVE-2020-17103 may already understand the attack surface.

What Is the Fix?

No official patch is available from Microsoft yet. The vulnerability was disclosed with the PoC release and Microsoft has not yet issued a security update. Monitor the Microsoft Security Response Center advisory at:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825

Until a patch is released, implement the containment measures described below. There is no workaround that eliminates the vulnerability — only mitigations that reduce the risk of exploitation.

Recommendations

Apply containment measures today — no patch exists. This is a true zero-day with publicly available compiled PoC. The following mitigations reduce exploitation risk but do not eliminate it:

  • Enforce strict local access controls. This is a local privilege escalation — an attacker must already have code execution on the system (via malware, compromised user account, or malicious insider). Restrict who can log in interactively, run unapproved applications, or execute scripts on Windows systems. Remove local administrator rights from standard user accounts.
  • Deploy application control. Windows Defender Application Control (WDAC) or AppLocker can block execution of unknown binaries, including the publicly released MiniPlasma PoC executable. Configure WDAC in enforcement mode for critical systems.
  • Enable enhanced auditing for privilege escalation. Monitor Windows Event ID 4672 (special privileges assigned to new logon) and Event ID 4688 (process creation) to detect processes unexpectedly obtaining or running with SYSTEM-level privileges. Focus on processes launched by non-system accounts that spawn child processes running as SYSTEM.
  • Consider disabling the Cloud Filter driver if not needed. If your environment does not use OneDrive, SharePoint sync, or other cloud storage providers that rely on the Cloud Filter driver, you can disable cldflt.sys. Test thoroughly before deploying — this may impact Windows functionality.
  • Monitor Microsoft’s advisory for the patch release. Apply the update immediately when available. The original CVE-2020-17103 was distributed through Windows Update — expect the fix for CVE-2026-33825 to follow the same channel.

Assume the exploit will be weaponised quickly. The combination of a local privilege escalation to SYSTEM plus a publicly available compiled executable is a dangerous combination. Prioritise containment measures on high-value targets: domain controllers, file servers, administrator workstations, and systems accessible to third-party contractors or vendors.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026. For a comprehensive view of all active threats, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!