Windows MiniPlasma exploit gives SYSTEM access as PoC goes public

A cybersecurity researcher has published proof-of-concept code for a Windows privilege-escalation flaw dubbed MiniPlasma. The exploit offers a route to SYSTEM-level access and, according to the author, still works on fully patched Windows machines. BleepingComputer reported the disclosure on Sunday.

For Australian enterprises and government agencies, most of which standardise on Microsoft endpoints, a public privilege-escalation PoC that reaches SYSTEM turns a research artefact into an operational problem within hours. There is no evidence of active exploitation.

But the code is public. That alone gives blue teams a new item for their Monday triage: check endpoint telemetry, verify patch status and watch for whatever vendor guidance follows.

The PoC targets Windows’ Cloud Filter driver, cldflt.sys, and traces back to CVE-2020-17103, which Microsoft said it fixed in December 2020. James Forshaw of Google Project Zero documented the mini-filter driver bug chain in early 2021. MiniPlasma’s importance is narrower than some early headlines suggested: it does not introduce a new vulnerability class. It tests whether the old one was ever properly closed.

In the GitHub repository for MiniPlasma, researcher Nightmare Eclipse wrote: “I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back.” The same repository notes that the “original PoC by Google worked without any changes” and claims the exploit may affect all Windows versions. Those claims need independent confirmation. Defenders should not assume they are accurate, but nor should they wait for a Microsoft statement before beginning their own assessment.

Why defenders will be watching

Seven years on, a working PoC changes the risk calculation. Privilege-escalation flaws are most useful to an attacker who already has some foothold. SYSTEM rights make containment harder and can open a machine to deeper control. For large Windows estates, even a narrow exploit window can create outsized clean-up costs. That is the calculation security teams are making now.

Australian organisations with managed device fleets face an immediate set of decisions: lab testing, change windows, endpoint visibility. MSPs and government contractors that inherit Microsoft-heavy estates are in the same position. The task is not to assume compromise. It is to shrink the gap between public research and internal validation while the code is available to both defenders and opportunistic attackers.

The source material published Sunday did not point to a fresh Microsoft patch tied specifically to MiniPlasma. The disclosure chain circles back to a 2020 advisory and Forshaw’s Project Zero analysis. For CISOs and security operations teams, the immediate job is validation: reproduce the reported behaviour on current builds in a lab, watch for any updated Microsoft guidance, and tune detection around unusual cloud filter driver activity and follow-on privilege changes.

MiniPlasma fits a pattern Australian defenders have seen before. Older Windows bug classes return to prominence once a new proof of concept lowers the effort required to test them at scale. Whether Microsoft frames this as an unpatched issue, an incomplete earlier fix or a recycled research technique, the question stays the same: how quickly can organisations determine exposure across managed fleets before opportunistic attackers do.