CyberBytes Daily

Trending cyberattacks, explained simply.

critical vulnerability

How a 'patched' Windows driver flaw from 2020 came back as a working exploit on fully patched systems in 2026

Microsoft patched a Windows kernel vulnerability in December 2020. Researchers marked it fixed. The security community moved on. Then, in May 2026, a researcher ran the original, unmodified proof-of-concept code on a fully patched Windows 11 machine and watched it open a SYSTEM-level command prompt. Nothing had changed in the exploit. Something had changed in Windows.

The vulnerability lives inside cldflt.sys, the driver that powers OneDrive's Files On-Demand feature. That driver is loaded by default on most Windows 11 installations, whether or not the user has ever opened OneDrive. The exploit requires no special access, no memory corruption, and no code injection. A standard user account is enough. Within seconds, the attacker has the highest privilege level the operating system can grant.

The detail that should concern every security team: the researcher who published this exploit timed the release to the day after Microsoft's May 2026 Patch Tuesday, deliberately guaranteeing a minimum four-week window before any official fix could arrive. Following the standard advice to "keep your systems patched" leaves every organization fully exposed until at least June 10, 2026. Three prior exploits from the same researcher were confirmed in real-world attacks within days of their public release.

🟡 Level 2

Read the narrative

How the attack unfolded, phase by phase.

7 min read

🔴 Level 3

Go deeper

Technical mechanism, CVE, ATT&CK mapping, primary sources.

4 min read

Narrative · 7 min read

The Context

Windows 11 crossed one billion users in January 2026. The operating system ships with OneDrive's Files On-Demand feature built in, which means the driver that powers it, cldflt.sys, is loaded on most Windows 11 machines by default. Enterprise images load it whether or not anyone has configured OneDrive. The driver runs in kernel mode, the most privileged layer of the operating system, where it manages the handoff between local file access and cloud-backed storage.

Kernel drivers are high-value targets precisely because a flaw in one can hand an attacker the keys to the entire machine. Microsoft has patched at least six separate vulnerabilities in cldflt.sys since 2020, including one, CVE-2025-62221, that was actively exploited by advanced attackers and added to CISA's Known Exploited Vulnerabilities catalog in December 2025. MiniPlasma is the latest chapter in that history, and the most embarrassing one.

The Attack, Phase by Phase

Phase 1: The Original Discovery and the Incomplete Fix (September to December 2020)

In September 2020, Google Project Zero researcher James Forshaw reported a race condition in cldflt.sys to Microsoft. The flaw, assigned CVE-2020-17103, sat inside a routine called HsmOsBlockPlaceholderAccess, which controls access to OneDrive placeholder files. Microsoft patched it in December 2020 as part of a bundle of four minifilter driver fixes.

The patch closed one specific path into the vulnerable routine. It did not fix the underlying behavior of HsmOsBlockPlaceholderAccess itself. That distinction would matter five years later.

2020: DISCOVERY AND INCOMPLETE PATCH🔍1Forshaw finds race conditionReports cldflt.sys flaw to Microsoft📋2CVE-2020-17103 assignedCVSS 7.8 (NIST), 7.0 (Microsoft)🩹3Patch ships December 2020Closes one entry path into routine⚠️4Root cause left unaddressedHsmOsBlockPlaceholderAccess unchangedThe fix was marked complete. The underlying vulnerability was not.

Phase 2: The Regression and Re-Discovery (2021 to May 2026)

Over the next five years, Microsoft shipped at least six more patches for cldflt.sys. At some point during those updates, the 2020 fix regressed. Whether it was silently rolled back, overwritten by a subsequent patch, or simply never applied to a new code path is not publicly known. Microsoft has not explained it.

In early 2026, a researcher operating under the name Chaotic Eclipse was investigating a related technique called GreenPlasma. A colleague flagged that HsmOsBlockPlaceholderAccess might still be vulnerable. Testing confirmed it: the original 2020 proof-of-concept code ran without a single modification on a fully patched Windows 11 system.

2021-2026: SILENT REGRESSION🔄1Six more cldflt.sys patchesDriver updated repeatedly 2021-2025↩️22020 fix regresses silentlyRoot cause re-exposed in updated driver🎯3CVE-2025-62221 exploited in wildAPT actors target same driver, Dec 2025🔬4Chaotic Eclipse re-tests 2020 PoCOriginal exploit runs unmodified on Win 11No regression testing caught the reintroduction of a known critical flaw.

Phase 3: Strategic Public Disclosure and Weaponization (May 13, 2026)

Chaotic Eclipse released MiniPlasma on GitHub on May 13, 2026, one day after Microsoft's May Patch Tuesday. The timing was deliberate: by releasing the day after a patch cycle closes, the researcher guaranteed that no official fix would arrive for at least four weeks. The release included both source code and a compiled executable ready to run.

The exploit abuses an undocumented internal Windows API called CfAbortHydration to trigger the vulnerable code path in cldflt.sys. It then races two competing operations against each other: one using a normal user token, one using an anonymous token. When the race is won, the kernel opens the .DEFAULT registry hive with elevated write access at the exact moment the elevated permission is supposed to be revoked. The attacker can now write to a registry location that privileged system processes will later read, planting a command that executes as SYSTEM.

BleepingComputer independently confirmed the exploit produced a SYSTEM shell on a fully patched Windows 11 Pro machine. Will Dormann, principal vulnerability analyst at Tharros, confirmed the same result on Windows 11 build 26H1 with May 2026 updates applied.

MAY 13, 2026: EXPLOITATION CHAIN1Trigger CfAbortHydration APIUndocumented call enters vulnerable routine🏁2Win the token race conditionAnonymous vs. user token timing exploit🗝️3Write to .DEFAULT registry hiveElevated access granted at wrong moment💻4SYSTEM shell opensPrivileged process reads planted registry keyRACE WINDOW: MICROSECONDS👑Full SYSTEM accessHighest OS privilege levelNo memory corruption required. Standard user account is sufficient to start.

Phase 4: No Patch, Community Mitigations, and Anticipated Weaponization (May 18 Onward)

With no official patch available until at least June 10, 2026, defenders are operating on detection alone. ThreatLocker published Community Policy TL.REG.1747 on May 18, flagging writes to two specific registry paths as indicators of exploitation. Microsoft confirmed it is investigating but has issued no CVE for the regression, no advisory, and no formal mitigation guidance.

The concern is not theoretical. Chaotic Eclipse's three prior exploits—BlueHammer, RedSun, and UnDefend—were all confirmed in real-world intrusions by Huntress researchers within days of their public release. The MiniPlasma GitHub repository accumulated over 390 stars within days of publication, a reliable signal of rapid uptake across both the security research and threat actor communities.

MAY 18 ONWARD: DEFENDER GAP📅1May 13: PoC publishedDay after Patch Tuesday, no fix available🛡️2May 18: ThreatLocker policyCommunity detection rule TL.REG.17473June 10: Earliest patch dateFour-week minimum unpatched window🔴4Weaponization expectedPrior exploits hit real attacks within days390+ GitHub stars in days signals rapid adoption by threat actors.

What Made This Possible

  1. Patches are not regression-tested against themselves. Microsoft's process for patching kernel driver vulnerabilities does not appear to include systematic checks that verify a prior fix survives subsequent updates to the same component. Six patches to cldflt.sys after 2020 apparently failed to catch that the original fix had been undone.

  2. The patch cycle creates a structural four-week blind spot. A researcher who releases an exploit the day after Patch Tuesday guarantees the maximum possible unpatched window. Patch compliance alone is no longer a sufficient security posture.

  3. A high-value driver attracts compounding attention. Once cldflt.sys became a known privilege escalation surface, it drew sustained attacker focus. CVE-2025-62221 was actively exploited by advanced actors just five months before MiniPlasma appeared. Patch-by-patch remediation of a repeatedly targeted component cannot keep pace with that level of sustained interest.

The punchline: the most dangerous thing about MiniPlasma is not the exploit itself. It is that the exploit is five years old and nobody noticed it still worked.

What Should Have Stopped This

Every defense that would have reduced the blast radius here shares one trait: it does not depend on the patch being present. Because the patch regressed without anyone noticing, any control that relied on the patch as its foundation failed silently alongside it.

  • Registry write monitoring. Writes to \Registry\User\.DEFAULT\Volatile Environment and \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps are not normal user-mode operations. An EDR tool configured to alert on these writes would catch exploitation in progress regardless of whether the underlying vulnerability is patched.
  • Least-privilege enforcement. MiniPlasma requires a standard user account as its starting point. Environments where users operate with minimum permissions limit the pool of accounts an attacker can use to launch the exploit.
  • Application control. Tools like Windows Defender Application Control (WDAC) or AppLocker can restrict which executables are permitted to run. A compiled exploit dropped by an attacker would need to pass that check before it could execute.
  • Kernel driver surface reduction. On systems where OneDrive Files On-Demand is not required, disabling or restricting cldflt.sys removes the vulnerable component entirely.

The Takeaway

MiniPlasma is not primarily a story about one vulnerability. It is a story about what happens when a patch is treated as a closed chapter rather than an ongoing commitment. Microsoft fixed CVE-2020-17103 in 2020. No process caught that the fix had regressed. No alarm sounded when the same code path became exploitable again.

This is the same class of failure as the Stryker Intune wipe and the Axios supply chain attack covered in prior posts. In each case, a trusted system was weaponized because the trust placed in it was not continuously verified. MiniPlasma adds a specific variant: trust placed in a patch is not self-sustaining. A fix that is not regression-tested is a fix that can be silently undone.

Pattern to remember: A patched vulnerability is only as durable as the process that verifies the patch survives every subsequent update to the same component.

What changed: Security teams can no longer treat a closed CVE as proof of current protection. A vulnerability can re-emerge in a fully patched system through vendor regression alone—with no new attacker action required—making patch history an unreliable indicator of present exposure.

Technical Deep Dive · 4 min

The Technical Mechanism

MiniPlasma exploits a Time-of-Check, Time-of-Use (TOCTOU) race condition in the HsmOsBlockPlaceholderAccess routine within cldflt.sys, the Windows Cloud Files Mini Filter Driver (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition).

The attack chain proceeds as follows:

  1. The attacker calls the undocumented CfAbortHydration API from user mode. This API is an internal interface exposed by cldflt.sys to abort the process of downloading a cloud-backed placeholder file.
  2. The call enters HsmOsBlockPlaceholderAccess, which gates access to placeholder files and internally calls RtlOpenCurrentUser to open a registry key under the current user's hive.
  3. The exploit races two competing thread states: one impersonating a normal user token, one impersonating an anonymous token. The race window is the interval between the access check and the actual registry open operation.
  4. When the race is won, RtlOpenCurrentUser executes at the moment thread impersonation reverts from anonymous back to the system context. The kernel opens \Registry\User\.DEFAULT with elevated write access that the access check did not authorize.
  5. The attacker writes a registry value to the .DEFAULT hive. The value is shaped to be read by a privileged process (such as a service running as SYSTEM) as a command to execute.
  6. The next privileged process that reads the planted key executes the attacker's payload in SYSTEM context, producing a SYSTEM-level shell.

The exploit does not use memory corruption, shellcode injection, or any technique that triggers memory anomaly detection. It abuses legitimate driver logic through a timing manipulation, which means endpoint protection tools focused on memory integrity or code injection may not generate alerts.

The December 2020 patch for CVE-2020-17103 closed one specific call path into HsmOsBlockPlaceholderAccess but did not modify the routine's underlying access control logic. Chaotic Eclipse accessed the same routine via a different API call sequence (CfAbortHydration rather than the original path Forshaw used), bypassing the patch entirely. The original Google Project Zero proof-of-concept code runs without modification on Windows 11 with May 2026 updates applied.

KERNEL-LEVEL EXPLOITATION CHAIN📞1CfAbortHydration calledUndocumented user-mode API entry point🏁2TOCTOU race triggeredUser vs. anonymous token impersonation🔓3RtlOpenCurrentUser racesAccess check and open operation desync📝4Unauthorized registry writeWrite to .DEFAULT hive without ACL check👑5SYSTEM shell spawnedPrivileged process executes planted keyNo memory corruption. No code injection. Standard user account is the only prerequisite.

CVE and Advisories

  • CVE-2020-17103: Windows Cloud Files Mini Filter Driver elevation of privilege vulnerability. Originally patched December 2020. CVSS 7.8 (NIST) / 7.0 (Microsoft). The MiniPlasma regression is being assessed under this CVE identifier; as of May 23, 2026, Microsoft has not assigned a new CVE for the regression.
  • CVE-2025-62221: Use-after-free in cldflt.sys, patched December 9, 2025. CVSS 7.8. Actively exploited in the wild; added to CISA's Known Exploited Vulnerabilities catalog with a December 30, 2025 remediation deadline for federal agencies.
  • CVE-2026-33825: BlueHammer, a prior Chaotic Eclipse exploit, patched April 14, 2026.
  • CVE-2026-33835 and CVE-2026-34337: Two additional cldflt.sys issues patched in May 2026 Patch Tuesday (KB5089549). Neither addresses the MiniPlasma regression.

No Microsoft Security Advisory or out-of-band patch for the MiniPlasma regression has been issued as of May 23, 2026. The next scheduled Patch Tuesday is June 10, 2026.

MITRE ATT&CK Mapping

Technique IDATT&CK nameHow it appeared
T1068Exploitation for Privilege EscalationMiniPlasma exploits CVE-2020-17103 (regressed) in cldflt.sys to escalate from standard user to SYSTEM.
T1112Modify RegistryThe exploit writes unauthorized values to the .DEFAULT registry hive to plant a payload executed by a privileged process.
T1574Hijack Execution FlowRegistry key manipulation redirects execution of a privileged process to attacker-controlled commands.
T1106Native APIThe exploit calls the undocumented CfAbortHydration kernel API to trigger the vulnerable code path.

Indicators of Compromise

ThreatLocker identified two registry paths as primary indicators of exploitation activity:

  • \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps*
  • \Registry\User\.DEFAULT\Volatile Environment*

Writes to either path from a non-SYSTEM, non-administrator process context are anomalous and should be treated as high-confidence indicators of MiniPlasma exploitation or a closely related technique.

Detection is complicated by the exploit's mechanism: because it abuses legitimate driver logic rather than injecting code or corrupting memory, signature-based and memory-integrity tools may not generate alerts. Behavioral detection focused on registry write patterns is the most reliable approach available prior to an official patch.

ThreatLocker Community Policy TL.REG.1747 (published May 18, 2026) provides a detection rule mapped to MITRE ATT&CK TA0004 (Privilege Escalation).

The exploit's GitHub repository (Nightmare-Eclipse/PoC_AbortHydration_ArbitraryRegKey_EoP) is a secondary indicator: presence of the compiled executable or source files on a system warrants investigation.

Attribution

MiniPlasma was authored and published by a researcher using the aliases Nightmare-Eclipse (GitHub), Chaotic Eclipse, and Dead Eclipse (blog: deadeclipse666.blogspot.com). The researcher's real identity is not publicly known. Barracuda Networks assessed the actor as motivated by a personal grievance against Microsoft's Security Response Center, with the researcher alleging that MSRC personnel directly threatened them. Barracuda also noted that exploits from this actor have been observed in threat activity linked to Russian-geolocated infrastructure, though this infrastructure link has not been independently corroborated by other threat intelligence firms.

The researcher is widely speculated to be a former Microsoft employee or contractor based on demonstrated familiarity with Windows internals, but this has not been verified. No nation-state attribution has been made for MiniPlasma specifically. The underlying vulnerability was originally discovered by James Forshaw of Google Project Zero; Chaotic Eclipse explicitly credited Forshaw and described MiniPlasma as a re-weaponization of Forshaw's original research.

Primary Sources

  1. 01.
  2. 02.
  3. 03.
  4. 04.
  5. 05.
    MiniPlasma Windows Zero-Day Vulnerability Enables SYSTEM-Level Privilege Escalation

    Jamaica Cyber Incident Response Team (CIRT) · May 18, 2026

  6. 06.
  7. 07.
  8. 08.