Windows CVE-2020-17103 Exploited: MiniPlasma Zero-Day Resurfaces for SYSTEM Access
The re-emergence of the MiniPlasma vulnerability, tracked as CVE-2020-17103, allows for SYSTEM-level privilege escalation on fully patched Windows 11, Windows Server 2022, and Windows Server 2025 operating systems. Security researcher Chaotic Eclipse claims this local privilege escalation (LPE) zero-day demonstrates that an issue supposedly patched in December 2020 was either improperly addressed or silently reverted, enabling standard users to gain complete administrative control. ThreatLocker confirmed the exploitation on the latest May 2026 updates.
What Happened
The MiniPlasma vulnerability, designated as CVE-2020-17103, is an actively exploited local privilege escalation (LPE) zero-day affecting fully patched Windows 11, Windows Server 2022, and Windows Server 2025 systems. This flaw represents a re-emergence of a vulnerability originally reported by Google Project Zero and reportedly patched by Microsoft in December 2020 (NVD). Security researchers known as Chaotic Eclipse (also identified as Nightmare-Eclipse) publicly disclosed the details of MiniPlasma and released a weaponized proof-of-concept (PoC). Chaotic Eclipse asserts that the original patch was ineffective or silently rolled back, claiming the original Google Project Zero PoC code still functions on current systems (SecurityWeek).
Chaotic Eclipse claims to have been releasing several Windows zero-day exploits since early April 2026, describing this activity as an escalating retaliatory campaign against Microsoft (SecurityWeek). MiniPlasma exploits CVE-2020-17103 by using a flaw within the Windows Cloud Filter driver (cldflt.sys). The exploit manipulates registry keys through the undocumented CfAbortHydration API, allowing an attacker to create a key in the DEFAULT user hive without proper access checks. This leads directly to SYSTEM-level privilege escalation. ThreatLocker independently confirmed the exploit successfully achieves SYSTEM privileges on fully patched Windows 11 systems running the latest May 2026 updates (Barracuda Blog). Windows 10 does not appear to be affected.
Why It Matters
The re-emergence of CVE-2020-17103 as MiniPlasma on fully patched Windows 11 and Server systems questions Microsoft's patch validation process. An LPE gives an attacker complete administrative control, which means any initial access—from phishing to drive-by downloads—can quickly escalate to full system compromise. This is a critical bypass of local endpoint security controls.
The Cloud Filter driver (cldflt.sys) is present by default on most Windows 11 installations due to its integration with OneDrive. This indicates a broad potential impact across organizations heavily using Windows 11. This high-severity flaw effectively nullifies basic user separation. The ongoing, self-described "retaliatory campaign" by Chaotic Eclipse means we can expect more such disclosures, putting continuous pressure on Microsoft and, by extension, every IT and security team running Windows.
Affected Scope & Remediation
The MiniPlasma vulnerability (CVE-2020-17103) affects all versions of Windows 11, Windows Server 2022, and Windows Server 2025 that include the latest May 2026 security updates. Windows 10, however, does not appear to be vulnerable to this specific exploit.
Currently, no official vendor patch is available for MiniPlasma. Microsoft is investigating the issue and is expected to release a fix on the next Patch Tuesday, scheduled for June 10, 2026 (Microsoft).
Until a patch is released, mitigation strategies are important. Immediately monitor networks for unusual activity, establish strong identity boundaries, and implement multi-factor authentication (MFA) across all accounts. For detection, ThreatLocker has provided coverage through a Community Policy, TL.REG.1747 – Mini Plasma Reg Key Created, specifically designed to detect the creation of the associated registry key used in the exploit (Barracuda Blog). Organizations should also ensure their endpoint detection and response (EDR) solutions, like CrowdStrike Falcon or SentinelOne, are configured for kernel-level telemetry privilege escalation detection.
| Product | Version Range | Fixed Version |
|---|---|---|
| Windows 11 | All versions up to May 2026 updates | TBD (Expected June 2026) |
| Windows Server 2022 | All versions up to May 2026 updates | TBD (Expected June 2026) |
| Windows Server 2025 | All versions up to May 2026 updates | TBD (Expected June 2026) |
Relevant Links:
- NVD Entry: CVE-2020-17103
- Microsoft Advisory: Not yet released for the re-emergence. Monitor Microsoft Security Response Center (MSRC) for updates.
- CISA KEV Entry: Not yet listed. CISA's Known Exploited Vulnerabilities catalog most recently added CVE-2025-34291 and CVE-2026-34926 on May 21, 2026, and CVE-2026-9082 on May 22, 2026 (CISA).
Timeline:
- Original Vulnerability Disclosure (Google Project Zero): Pre-December 2020
- Original Patch Release: December 2020
- Re-emergence & PoC Disclosure by Chaotic Eclipse: April 2026 onwards
- Expected New Patch Release: June 10, 2026
Technical Breakdown
The MiniPlasma exploit, using CVE-2020-17103, targets a flaw within the Windows Cloud Filter driver, cldflt.sys. This kernel driver, integral to functionalities like OneDrive's file hydration, exposes an undocumented API function named CfAbortHydration. The core of the vulnerability lies in how CfAbortHydration handles registry key manipulation. Under normal operation, this API should respect access control lists (ACLs) when interacting with registry hives. However, the exploit bypasses these checks.
An attacker can call CfAbortHydration to create a registry key directly within the DEFAULT user hive. This creation occurs without proper access validation. By manipulating the registry through this unchecked API call, a standard user can elevate their privileges to SYSTEM. This grants the attacker full control over the operating system, allowing them to execute arbitrary code with the highest possible privileges. This bypasses typical user-level restrictions and many endpoint security mechanisms that operate below the SYSTEM level. This attack maps directly to the MITRE ATT&CK technique T1068 Exploitation for Privilege Escalation, as it allows a low-privileged account to gain higher-level access through a system vulnerability. From a compliance standpoint, the persistent nature of this flaw highlights deficiencies in SI-2 Flaw Remediation and directly violates the principle of AC-6 Least Privilege, allowing an unauthorized elevation to SYSTEM.
Historical Context
The re-emergence of MiniPlasma on fully patched systems recalls the complexities surrounding the PrintNightmare vulnerability (CVE-2021-34527) in 2021. Both involved critical flaws in Windows services that allowed for privilege escalation or remote code execution. PrintNightmare, affecting the Windows Print Spooler service, saw multiple patches released by Microsoft, some of which were incomplete or introduced new bypasses, forcing IT teams into a reactive patching cycle for months.
Similar to MiniPlasma, PrintNightmare demonstrated that a supposedly fixed vulnerability could persist, or that fixes could be easily circumvented, forcing administrators to repeatedly apply patches and workarounds. The key difference is that PrintNightmare was initially an RCE/LPE hybrid with a broader impact on many Windows versions, whereas MiniPlasma focuses on LPE through a specific driver, cldflt.sys, on newer Windows builds. Both incidents, however, underscored the challenge of thorough vulnerability remediation and the potential for "patch Tuesday" fixes to not fully resolve underlying architectural weaknesses.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score (Original CVE-2020-17103) | 7.8 | NVD |
| Exploit Type | LPE Zero-Day | SecurityWeek |
| Affected OS (Major) | Windows 11, Server 2022, 2025 | Barracuda Blog |
| Days Since Original Patch to Re-Exploit | ~1947 days | NVD, SecurityWeek |
| Expected Days Until New Patch | ~30 days | Microsoft |
| Discovery Researcher | Chaotic Eclipse | SecurityWeek |
The CVEDaily Take
The return of CVE-2020-17103 as MiniPlasma exposes critical gaps in Microsoft's quality assurance for security fixes, particularly when a researcher's previous PoC remains viable years later. This isn't just a vulnerability; it's a testament to the persistent challenge of deep-seated architectural flaws. We believe Microsoft understates the impact when a "patched" vulnerability resurfaces, especially with an active "retaliatory campaign" from a researcher like Chaotic Eclipse. This incident demands a deeper look into their patch validation process. Are your incident response playbooks prepared for LPEs on systems you consider "fully patched"?
FAQ
Q1: Is MiniPlasma the same vulnerability as CVE-2020-17103?
A1: Yes, "MiniPlasma" is the name given to the actively exploited re-emergence of the vulnerability originally tracked as CVE-2020-17103. It's the same underlying flaw in the Cloud Filter driver.
Q2: What specific Windows versions are affected by the MiniPlasma zero-day?
A2: The MiniPlasma zero-day affects fully patched Windows 11, Windows Server 2022, and Windows Server 2025 operating systems. Windows 10 is not currently affected by this particular vulnerability.
Q3: What can security teams do to protect against MiniPlasma until an official patch is released?
A3: Until Microsoft releases a patch on June 10, 2026, focus on enhanced network monitoring, implementing strong identity boundaries, and ensuring multi-factor authentication (MFA) is pervasive. Additionally, consider deploying detection rules, such as ThreatLocker's Community Policy TL.REG.1747, to identify the creation of the exploit's associated registry key.
