HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

MiniPlasma Zero-Day (CVE‑2020‑17103) Enables SYSTEM Privilege Escalation on Patched Windows 11

A previously reported Windows privilege‑escalation bug (CVE‑2020‑17103) remains exploitable on fully patched Windows 10 and Windows 11 machines. Public PoC demonstrates reliable SYSTEM‑level code execution, posing a high‑severity supply‑chain risk for any organization that relies on Windows OS.

LiveThreat™ Intelligence · 📅 May 18, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

MiniPlasma Zero-Day (CVE‑2020‑17103) Enables SYSTEM Privilege Escalation on Patched Windows 11

What It Is – A privilege‑escalation vulnerability in the Windows Cloud Files mini‑filter driver (cldflt.sys). Originally reported as CVE‑2020‑17103, the flaw was thought to be patched in 2020 but remains exploitable on fully updated Windows 10/11 systems.

Exploitability – Public proof‑of‑concept (PoC) released by researcher Chaotic Eclipse and independently verified by Will Dormann. The PoC reliably spawns a SYSTEM‑level shell; success varies due to a race condition but works across test environments. No known mitigations in current Microsoft patches.

Affected Products – Microsoft Windows 10, Windows 11 (all editions) – any version that includes the cldflt.sys driver, regardless of installed security updates as of May 2026.

TPRM Impact

  • Any third‑party that relies on Windows as its primary OS (SaaS platforms, MSPs, cloud‑hosted workloads) inherits the risk of a local attacker gaining full system control.
  • Potential for supply‑chain compromise if attackers embed malicious code in trusted Windows binaries used by vendors.
  • Increases the attack surface for privileged‑access abuse, threatening confidentiality, integrity, and availability of downstream services.

Recommended Actions

  • Immediate mitigation: Deploy Microsoft’s latest cumulative updates and verify that the cldflt.sys version includes any post‑May 2026 hotfixes.
  • Endpoint hardening: Enable Windows Defender Exploit Guard, Credential Guard, and Application Control policies to block unauthorized driver loading.
  • Monitoring: Add alerts for creation of cmd.exe processes with SID S‑1‑5‑18 (SYSTEM) from non‑admin contexts.
  • Risk assessment: Review all third‑party contracts that mandate Windows‑based environments; require vendors to provide proof of remediation or compensating controls.
  • Incident response: If SYSTEM shells are observed, isolate the host, collect volatile memory, and follow your breach‑response playbook.

Source: SecurityAffairs – Chaotic Eclipse discloses MiniPlasma zero‑day

📰 Original Source
https://securityaffairs.com/192325/hacking/chaotic-eclipse-discloses-miniplasma-zero-day-suggesting-a-missing-or-undone-2020-windows-security-fix.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →