Security researcher Chaotic Eclipse has introduced a new Windows exploit known as MiniPlasma, claiming that even patched versions of Windows could be vulnerable to a privilege escalation from standard user accounts to SYSTEM level access. This proof-of-concept exploit is linked to CVE-2020-17103, a flaw in the Windows Cloud Filter driver that Microsoft addressed back in December 2020. The current concern is not merely about unpatched systems being at risk; rather, it raises the possibility that fully updated Windows 11 machines might still be susceptible to this exploit.
If Chaotic Eclipse’s assertions hold true, the implications are significant. Local privilege escalation allows individuals with limited access to a device to gain SYSTEM rights, thereby granting them complete control over that machine. A recent test reportedly demonstrated this exploit on a patched Windows 11 Pro system, successfully reaching a SYSTEM command prompt from a standard user account. Given that SYSTEM represents the highest local privilege level in Windows, a successful exploit could transform limited access into total control.
The 2020 Fix Record Behind MiniPlasma
The origins of this issue trace back to September 2020 when James Forshaw reported the vulnerability to Microsoft, leading to its designation as CVE-2020-17103. Microsoft subsequently documented this flaw and included a fix in their December 2020 update. MiniPlasma raises questions about the effectiveness of that fix, as it suggests that patched Windows 11 systems may still be able to exploit the same vulnerability associated with the earlier Cloud Filter driver flaw.
For administrators, the stakes are high. Many rely on fully updated laptops, workstations, and virtual desktops as reference images for policy checks and access-control reviews. The emergence of a proof-of-concept that appears to function post-patching compels defenders to evaluate whether the original repair truly sealed off the vulnerability or if subsequent updates inadvertently reopened it.
“After investigating, it turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched.”
Chaotic Eclipse, Security researcher
The exploit reportedly involves an undocumented registry-key path within the .DEFAULT user hive. This framing raises the possibility that Microsoft’s 2020 fix may not have fully resolved the issue, or that later changes in Windows could have reintroduced the vulnerability. Chaotic Eclipse has suggested this rollback possibility, although it remains an assertion rather than a confirmed diagnosis from Microsoft.
What the Canary Result Changes
In a recent development, a potential discrepancy between public and Canary builds has emerged, as noted in Will Dormann’s testing observations. The exploit appears to work on the latest public Windows 11 build but not on the latest Insider Preview Canary build. Canary builds serve as Microsoft’s pre-release testing branch, indicating that this mismatch could signify differing behaviors between the two versions without confirming a fix for the general user base.
For enterprises that rely on shared Windows 11 baselines, it is crucial to obtain clarification from Microsoft regarding whether the public branch, the pre-release branch, or both accurately reflect the status of the original fix. Notably, Microsoft’s April 2026 Patch Tuesday updates included another entry related to the Windows Cloud Files Mini Filter Driver elevation-of-privilege issue, keeping this component family relevant while not directly validating the MiniPlasma exploit.
As the situation evolves, defenders are advised to monitor the Microsoft CVE-2020-17103 record for further clarification, using the December 2020 fix as a benchmark against which MiniPlasma now challenges. Until Microsoft provides an explanation, the pressing question remains whether MiniPlasma reveals a lingering vulnerability in current Windows 11 systems or if it is a condition specific to certain branches that requires independent verification.
