MiniPlasma Zero-Day: PoC Exploit Code and Vulnerability Details Publicly Disclosed for Windows 11

A ghost from Patch Tuesdays past has returned to haunt Microsoft. A security researcher operating under the pseudonyms “Nightmare-Eclipse” and “Chaotic Eclipse” has published a new local privilege escalation exploit on GitHub dubbed “MiniPlasma.” This isn’t a newly discovered flaw. It is a supposedly patched vulnerability from six years ago that currently grants attackers a direct path to a SYSTEM shell on fully updated Windows 11 and Server 2025 machines.

While investigating techniques used in a previous exploit known as “GreenPlasma,” Nightmare-Eclipse took a closer look at a routine called cldflt!HsmOsBlockPlaceholderAccess within the Windows Cloud Files Mini Filter Driver.

To their surprise, the routine was still vulnerable to the exact same issue discovered six years ago by James Forshaw of Google Project Zero. Microsoft supposedly fixed the flaw, tracking it as CVE-2020-17103, an Elevation of Privilege Vulnerability with a CVSS score of 7.0. However, after a tip from a fellow researcher, Nightmare-Eclipse found that the original Project Zero Proof-of-Concept (PoC) still worked straight out of the box.

“I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons,” the researcher wrote on their GitHub repository.

To demonstrate the severity of the regression, Nightmare-Eclipse weaponized the original Google PoC. By exploiting the underlying race condition, the modified MiniPlasma exploit reliably spawns a high-level SYSTEM shell.

While race condition exploits can sometimes suffer from inconsistent success rates depending on CPU timing, the researcher confirmed that the new PoC works flawlessly against fully patched instances of Windows 11 and Windows Server 2025. Furthermore, Nightmare-Eclipse believes that all current Windows versions are likely affected by this resurrected vulnerability.

This latest release is par for the course for Chaotic Eclipse, a researcher who has built a notorious reputation for bypassing coordinated vulnerability disclosure. Reportedly frustrated by interactions with the Microsoft Security Response Center (MSRC), the researcher has spent the better part of 2026 dropping unpatched zero-days directly to the public.

MiniPlasma joins a rapidly growing arsenal of publicly disclosed exploits linked to this researcher, including:

• BlueHammer: A clever race-condition zero-day abusing Windows Defender’s update workflow to access sensitive registry hives and steal NTLM hashes.
• RedSun: Another Defender-adjacent flaw that redirects file rewrites to execute attacker binaries with SYSTEM privileges.
• YellowKey: A highly publicized BitLocker bypass triggered via a USB drive in the Windows Recovery Environment (WinRE).
• GreenPlasma: A local privilege escalation vulnerability targeting the Windows CTFMON subsystem.