MiniPlasma Windows 0-Day Grants SYSTEM Privileges on Patched Systems

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitycloudmicrosofttools
MiniPlasma Windows 0-Day Grants SYSTEM Privileges on Patched Systems

A new Windows privilege escalation zero-day, codenamed MiniPlasma, has been disclosed by security researcher Chaotic Eclipse. The Hacker News reports that this vulnerability allows attackers to gain SYSTEM privileges on fully patched Windows systems. Chaotic Eclipse is also credited with discovering the YellowKey and GreenPlasma Windows flaws.

The MiniPlasma vulnerability specifically impacts “cldflt.sys,” which is the Windows Cloud Files Mini Filter Driver. The release of a proof-of-concept (PoC) by Chaotic Eclipse indicates a high likelihood of this flaw being exploited in the wild, posing an immediate threat to Windows environments.

This isn’t just another bug; it’s a direct path to SYSTEM. The attacker’s calculus here is simple: if they can get initial access, this PoC gives them full control. For defenders, this means any foothold on a Windows machine could escalate quickly into a total compromise. Patching isn’t enough when a zero-day is actively exploited with a public PoC.

What This Means For You

  • If your organization relies on Windows systems, especially those with cloud file synchronization enabled, assume this vulnerability is exploitable. Prioritize reviewing your EDR/XDR logs for any suspicious activity related to `cldflt.sys` or unexpected privilege escalation attempts. While a patch isn't available yet, focus on limiting initial access vectors and enhancing behavioral detection for post-exploitation lateral movement.

Related ATT&CK Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

Privilege Escalation via MiniPlasma cldflt.sys Driver

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
MiniPlasma Privilege Escalation Windows Cloud Files Mini Filter Driver (cldflt.sys)
MiniPlasma Privilege Escalation Windows operating systems (fully patched)

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor microsoft.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related coverage on Microsoft

Microsoft Open-Sources RAMPART and Clarity for AI Agent Security

Microsoft has released two new open-source tools, RAMPART and Clarity, designed to enhance the security testing of AI agents during development. According to The Hacker...

threat-intelvulnerabilitymicrosoftai-securitytools
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs

Grafana Breach: Missed Token Rotation After TanStack Supply Chain Attack

BleepingComputer reports that the recent Grafana data breach stemmed from a single GitHub workflow token that was not rotated following the TanStack npm supply-chain attack....

threat-inteldata-breachmalwaretools
/SCW Research /MEDIUM /⚙ 3 Sigma

AI-Powered Attacks Accelerate Mobile App Exploitation

Agentic AI is fundamentally reshaping the mobile application threat landscape, according to a recent report highlighted by SecurityWeek. This advanced AI capability has effectively eliminated...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /MEDIUM