A working exploit for a brand-new Windows zero-day called MiniPlasma is now circulating publicly, and it lets an attacker who already has basic access to your PC jump straight to SYSTEM — the highest level of control in Windows. The bug affects fully patched Windows 11 machines running the May 2026 updates, and Microsoft has not yet released a fix. The next scheduled Patch Tuesday is June 10, 2026.
What MiniPlasma actually does
A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems. The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability.
The weakness lives deep inside Windows itself. According to the researcher, the flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. That driver is what Windows uses to handle OneDrive and other cloud-synced files, which means the vulnerable component is present on essentially every modern Windows PC.
MiniPlasma works as a standard user and ThreatLocker has confirmed that it can elevate privileges to SYSTEM on fully patched Windows 11 systems running the latest May 2026 updates. There is no official patch. When asked by SecurityWeek, a Microsoft spokesperson said, "Microsoft is investigating this report and will take appropriate action to protect customers as soon as possible." The next Patch Tuesday is June 10, 2026.
Why this matters for everyday PC owners
SYSTEM is the most powerful account on a Windows PC — more powerful than the administrator. An attacker who reaches SYSTEM can disable antivirus, install rootkits, read any file, and persist on the machine even after a reboot or password change. That makes MiniPlasma a perfect second-stage tool: malware that sneaks in through a phishing email or malicious download can use this exploit to dig in deep and become very hard to remove without professional malware and rootkit cleanup.
The pattern around this researcher's recent work is the worrying part. Within days of the public release, Huntress researchers observed real-world exploitation of all three. Attackers began using BlueHammer on April 10, then moved to the proof-of-concept code for RedSun and UnDefend on April 16, following the publicly available exploit code with a precision that left little doubt about where the attack playbook had come from. In plain English: every time this researcher posts code, criminals start using it within days.
What you can actually do right now
Because there is no patch, the only real defenses are the boring basics — done well:
- Don't run as administrator for daily use. MiniPlasma still requires an attacker to first land code on your machine as a regular user. - Keep Windows Update on and install the June 10 Patch Tuesday updates the day they arrive. - Be extra cautious with email attachments, cracked software, and "free" downloads through the next two weeks. - If your PC starts behaving strangely — antivirus turning itself off, new user accounts appearing, settings reverting, or unfamiliar processes running — assume infection and stop using the machine for banking or email until it's checked. A clean diagnostic at a local PC repair shop is far cheaper than recovering from a full compromise.
If the worst happens and files get encrypted or deleted, don't reformat the drive. Pull it and take it in — in many cases a clean image of the drive can be made first so lost files can be recovered before any cleanup is attempted.
The bigger picture
MiniPlasma is the latest in a streak of Windows flaws disclosed publicly with working exploit code before Microsoft has a fix ready. The disclosure spree began in April with BlueHammer, a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun, and a Windows Defender DoS tool, UnDefend. After their disclosure, all three vulnerabilities were spotted being exploited in attacks. According to the researcher, Microsoft silently patched the RedSun issue without assigning it a CVE identifier. This month, the researcher also released two additional exploits named YellowKey and GreenPlasma.
For home users and small businesses, the takeaway isn't to panic — it's to recognize that the gap between "researcher posts exploit" and "criminals weaponize it" is now days, not months. Layered defense (a standard user account, a real backup, and quick patching) matters more than ever.
What This Means for York, PA
York-area home users and small businesses don't need to do anything exotic — just keep Windows Update turned on, avoid running daily tasks as an administrator, and watch for the June 10 patch. If your York or Dover-area PC starts acting strangely before then, bring it into our shop at 2069 Carlisle Rd for a diagnostic before it gets worse.
Sources
- New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released — BleepingComputer
- MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems — The Hacker News
- MiniPlasma: Windows privilege escalation zero-day affects fully patched systems — ThreatLocker
- Chaotic Eclipse discloses MiniPlasma zero-day — Security Affairs