MiniPlasma 0-Day Exposes Systemic Patching Failure in Windows Cloud Files Driver
Researcher Chaotic Eclipse has released a working exploit for MiniPlasma, a Windows privilege escalation zero-day in the Cloud Files Mini Filter Driver (cldflt.sys) that grants SYSTEM access on fully patched systems. This represents a complete bypass of Windows security controls and poses immediate risk to all affected Windows installations.
Affected
Chaotic Eclipse, who previously disclosed YellowKey and GreenPlasma flaws, has now published a proof-of-concept exploit for MiniPlasma, a local privilege escalation vulnerability affecting cldflt.sys. The fact that this works on fully patched systems indicates either a zero-day window before vendor remediation or a failure in Microsoft's patch delivery for this specific driver component.
The Cloud Files Mini Filter Driver is a low-level system component responsible for handling cloud storage operations. Its position in the Windows driver stack and kernel-mode execution context make it an attractive target for privilege escalation attacks. By compromising this driver, an attacker with local code execution can transition from user mode to SYSTEM privileges without requiring physical access or administrative credentials.
This vulnerability is particularly concerning because it affects what should be a fully patched system, suggesting either the patch was incomplete, not yet deployed, or that the flaw exists in a code path missed during initial remediation. The public PoC release significantly lowers the barrier to exploitation, meaning threat actors can now weaponise this quickly for targeted attacks or integration into attack frameworks.
Organisations should treat this as requiring emergency attention: enumerate Windows systems running Cloud Files functionality, check for any signs of exploitation via process creation anomalies or privilege escalation indicators, and prepare emergency patching procedures. Disable cloud file synchronisation features if not critical to operations until patches are confirmed available and tested.
The pattern of Chaotic Eclipse disclosing multiple Windows driver vulnerabilities in succession suggests either systematic weakness in kernel driver security review at Microsoft, or that this researcher has identified a particular class of flaws in cloud/storage driver implementations. This third disclosure warrants broader security analysis of the Mini Filter Driver ecosystem.
Sources