Windows Zero-Day ‘MiniPlasma’ Enables SYSTEM Privileges On Fully Patched PCs
A newly disclosed Windows zero-day, dubbed MiniPlasma, exploits a flaw in cldflt.sys to grant SYSTEM-level privileges. Proof-of-concept code reportedly works reliably on fully patched Windows 11 systems with May 2026 updates, according to information circulating by 05:01 UTC on 18 May.
Key Takeaways
- As of 05:01 UTC on 18 May, security researchers disclosed a Windows privilege escalation zero-day called MiniPlasma, targeting the cldflt.sys driver.
- The exploit can grant SYSTEM privileges on fully patched Windows 11 machines with May 2026 updates, bypassing current security baselines.
- A proof-of-concept appears to work reliably in the wild, though the latest Insider Preview Canary build is reportedly unaffected.
- The vulnerability poses immediate risks for organizations, as it enables rapid elevation from any foothold to full system compromise.
Information emerging by around 05:01 UTC on 18 May detailed a significant new Windows security vulnerability, dubbed MiniPlasma, which exploits a flaw in the cldflt.sys system driver. The vulnerability enables local privilege escalation, allowing an attacker who has already gained some level of access to a machine to escalate to SYSTEM privileges—the highest level of control within Windows.
The disclosure indicates that the MiniPlasma exploit works on fully patched Windows 11 systems running the May 2026 security updates, highlighting a gap in Microsoft’s current mitigation landscape. Notably, reports suggest that the latest Insider Preview Canary build is not affected, implying that an internal fix may exist but has not yet been rolled out to production channels.
Technical details, while still emerging, point to a vulnerability in how the cldflt.sys driver—associated with cloud file system filtering—handles certain operations or memory states. By carefully crafting calls to the driver, an attacker can manipulate kernel-level behavior in a way that grants elevated rights. A publicly available proof-of-concept (PoC) exploit has been demonstrated to achieve reliable SYSTEM-level access under common configurations.
The most important actors in this space are enterprise defenders, Microsoft’s security and engineering teams, and potential threat actors ranging from criminal groups to state-linked operators. For adversaries, MiniPlasma represents a powerful post‑exploitation tool: once an initial foothold is established via phishing, web exploits, or insider compromise, this vulnerability can be used to take complete control of targeted endpoints, disable security tools, harvest credentials, and pivot across networks.
The vulnerability’s significance stems not from remote code execution per se—an attacker still needs some form of local access—but from its potential to turn minor breaches into full‑scale compromises. In modern enterprise environments, where endpoint isolation and least‑privilege principles are meant to limit blast radius, a reliable privilege escalation zero-day undermines those defenses and accelerates lateral movement.
Sectors with high-value data and complex Windows deployments—financial services, healthcare, government, defense, critical infrastructure and technology firms—are particularly at risk. Many organizations rely heavily on Windows 11 with current updates, assuming that staying fully patched significantly reduces exposure to known privilege escalation pathways. MiniPlasma temporarily breaks that assumption until a patch can be deployed.
Given the public nature of the PoC and the relative ease of integrating privilege escalation into existing malware frameworks, there is a high likelihood that both ransomware operators and more sophisticated intrusion sets will incorporate MiniPlasma into their toolchains in the near term. This elevates the threat level for routine intrusions, which could become far more damaging if attackers exploit the vulnerability quickly after initial entry.
Outlook & Way Forward
In the immediate term, organizations should assume that MiniPlasma will see rapid weaponization by a broad spectrum of threat actors. While waiting for an official patch, defenders should focus on hardening measures that reduce the impact of local privilege escalation: enforcing strong application control (e.g., allow‑listing), restricting who can execute untrusted code, and tightening monitoring around processes that interact with system drivers and privilege-sensitive operations.
Microsoft is expected to prioritize a fix, likely via an out‑of‑band or next scheduled security update. Security teams should watch for official advisories and be prepared to test and deploy patches rapidly across Windows 11 fleets, including virtualized and cloud-hosted instances. In parallel, network detection and response mechanisms should be tuned to flag unusual privilege changes, token manipulation and attempts to disable endpoint security tools—common behaviors following successful escalation.
Over the longer term, MiniPlasma underscores the need for layered security architectures that do not rely solely on patch status for protection. Zero-day privilege escalation flaws are a persistent reality, and organizations must invest in behavioral analytics, robust segmentation, and incident response readiness to contain breaches before they reach domain-wide compromise. Strategic attention should also be given to reducing the attack surface of rarely scrutinized kernel drivers like cldflt.sys, including through driver minimization, sandboxing where feasible, and close tracking of emerging exploit techniques in the Windows kernel ecosystem.
Sources
- OSINT