A newly discovered Windows zero-day vulnerability, named ‘MiniPlasma’, poses a significant threat by granting SYSTEM-level access on fully updated Windows systems. This security flaw has surfaced with a public exploit, drawing considerable attention from the cybersecurity community.
Discovery and Release of MiniPlasma Exploit
The exploit was made public by security researcher Nightmare-Eclipse on GitHub on May 13, 2026. The researcher claims that Microsoft either overlooked or reversed a previous fix for a vulnerability initially identified six years prior. The issue targets the Cloud Filter driver’s HsmOsBlockPlaceholderAccess function, originally reported by Google Project Zero’s James Forshaw in September 2020.
Microsoft had assigned CVE-2020-17103 to the flaw, with a supposed fix implemented during the December 2020 Patch Tuesday updates. Despite this, the flaw remains exploitable, as demonstrated by the unmodified proof-of-concept code, leaving systems vulnerable until at least the next scheduled patch release.
Technical Details of the MiniPlasma Vulnerability
The vulnerability allows arbitrary registry key creation in the .DEFAULT user hive without proper access checks. According to Google Project Zero, this occurs due to the HsmOsBlockPlaceholderAccess function’s failure to implement the OBJ_FORCE_ACCESS_CHECK flag, enabling attackers to bypass standard access controls.
The exploit leverages a race condition, alternating between user and anonymous tokens, to manipulate the RtlOpenCurrentUser function in the kernel. Successful execution results in unauthorized registry key creation within the .DEFAULT hive, granting SYSTEM-level privileges to attackers.
Impact and Response to the MiniPlasma Threat
Nightmare-Eclipse’s proof-of-concept highlights the ease with which the exploit can be executed on multi-core systems, effectively granting SYSTEM access from standard user accounts. The Cloud Filter driver, integral to services like OneDrive, means the vulnerability impacts a wide range of Windows installations, presenting a significant risk to enterprises and cloud environments.
Organizations are advised to closely monitor Microsoft’s security updates and prepare to implement patches promptly once available. With the exploit code publicly accessible, the urgency to mitigate potential attacks is heightened.
Stay updated with the latest security developments by following us on Google News, LinkedIn, and X. Ensuring your systems are protected against emerging threats like MiniPlasma is crucial in maintaining robust cybersecurity defenses.
