- microsoft
- windows
- cve
- privilege-escalation
- cldflt
- lpe
- local
- zero-day
- regression
news
MiniPlasma: Cloud Files Driver Regression LPE (CVE-2020-17103)
Nightmare-Eclipse weaponizes James Forshaw's 2020 cldflt!HsmOsBlockPlaceholderAccess bug — original Project Zero PoC works unchanged on fully patched Win11; race to SYSTEM shell.
Summary
MiniPlasma is a regression / incomplete-fix local privilege escalation exploit published by Nightmare-Eclipse in June 2026 — the same Patch Tuesday cycle that fixed GreenPlasma and YellowKey. It weaponizes CVE-2020-17103, originally reported by James Forshaw (Google Project Zero) in September 2020 against the Windows Cloud Files Mini Filter Driver (cldflt.sys). Microsoft assigned CVE-2020-17103 and reportedly patched in December 2020; MiniPlasma demonstrates the original Project Zero proof-of-concept still works without modification on fully patched Windows 11 and Server 2025, extended to spawn an interactive SYSTEM shell.
The vulnerable routine is cldflt!HsmOsBlockPlaceholderAccess, which creates per-user "block entries" in the registry for Cloud Files / OneDrive placeholder hydration control. The bug: RtlOpenCurrentUser impersonation and fallback to the .DEFAULT hive can be raced so registry keys are created under .DEFAULT\\Volatile Environment (SYSTEM context) without proper OBJ_FORCE_ACCESS_CHECK enforcement — enabling privilege escalation via CloudFiles BlockedApps policy manipulation and related paths.
The researcher attributes rediscovery to a colleague's tip after investigating GreenPlasma's SetPolicyVal technique. Microsoft patched again in June 2026 Patch Tuesday after public PoC release. OFFSITE.DARK indexes Project Nightcrawler and Project Zero lineage; we did not discover this flaw.
Technical Details
| Aspect | Detail |
|---|---|
| CVE (original) | CVE-2020-17103 |
| Component | cldflt.sys — Cloud Files Mini Filter Driver |
| Function | HsmOsBlockPlaceholderAccess |
| Root cause | Missing access checks + race in RtlOpenCurrentUser → .DEFAULT hive fallback |
| API surface | Undocumented CfAbortHydration / placeholder block path |
| Privileges required | Standard local user |
| Exploit type | Race condition (dual-thread token impersonation) |
| PoC language | C# (weaponized from original Google PoC) |
| Reliability | Researcher reports reliable on lab hosts; success varies by timing |
| Affected | Windows 11, Server 2022/2025 confirmed; researcher claims all versions |
Race mechanics (Picus / ThreatLocker synthesis)
- Thread A performs anonymous/user token impersonation around calls into the Cloud Filter driver.
- Thread B triggers
HsmOsBlockPlaceholderAccess/ hydration abort path. RtlOpenCurrentUserfails for anonymous SID (no hive) → code path intends fallback to user hive.- Impersonation reverts before fallback completes →
.DEFAULT(SYSTEM) hive opens with unintended write capability. - Attacker creates registry state under
.DEFAULT\\Volatile EnvironmentandSoftware\\Policies\\Microsoft\\CloudFiles\\BlockedApps→ escalates to SYSTEM execution.
MiniPlasma is notable because it is not a novel vulnerability class — it is a patch regression or never-applied fix on modern builds, validated when the 2020 PoC executed unchanged six years later.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2020-17103 (researcher attribution; June 2026 re-fix) |
| Original fix | December 2020 (regression reported June 2026) |
| CWE | Privilege management / access-check bypass in kernel filter driver |
| CVSS (original MSRC) | Local elevation of privilege |
| Public PoC | MiniPlasma (SYSTEM shell); original Project Zero PoC |
| Patch (2026) | June 2026 Patch Tuesday |
Impact
- SYSTEM compromise from standard user on Cloud-Files-enabled systems (most Windows 11 installs with OneDrive integration).
- Patch confidence erosion — six-year-old Project Zero fix ineffective on current builds until June 2026 re-patch.
- Post-compromise escalation after phishing, stolen sessions, or supply-chain footholds.
- Detection surface: registry writes to
.DEFAULT\\Volatile EnvironmentandCloudFiles\\BlockedAppsfrom user processes.
Suggested detection queries (public research)
Monitor registry creation/set events on:
\Registry\User\.DEFAULT\Volatile Environment
\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps
Mitigation
- Apply June 2026 Patch Tuesday updates verifying
cldflt.sysversion on endpoints. - Deploy WDAC / AppLocker default-deny where operational policy supports it.
- Monitor CloudFiles registry policy paths and
.DEFAULThive writes from non-system processes. - Restrict local admin and assume any user foothold can attempt driver-triggered LPE until patched.
- Validate on Canary/Insider builds — Will Dormann reported MiniPlasma failing on some Insider Preview channels while succeeding on production-patched Win11.
Sources
- Project Nightcrawler — NightmareEclipse/MiniPlasma (primary PoC source)
- Church of Malware git — Nightmare_Eclipse/MiniPlasma (historical mirror)
- Google Project Zero — original CVE-2020-17103 issue
- Microsoft MSRC — CVE-2020-17103
- Picus Security — MiniPlasma / HsmOsBlockPlaceholderAccess analysis
- ThreatLocker — MiniPlasma validation notes
- OFFSITE.DARK — RoguePlanet cluster index