A security researcher publishing under the alias “Chaotic Eclipse” released a working proof-of-concept exploit for an unpatched Windows privilege escalation vulnerability. The exploit, named MiniPlasma, targets the Cloud Files Mini Filter Driver — a kernel-mode component that backs OneDrive, SharePoint Sync, and any third-party cloud synchronisation service implemented via the Windows Cloud Files API. On a fully-patched Windows 10 22H2, Windows 11 24H2, and Windows Server 2022/2025 system, MiniPlasma elevates an unprivileged user to SYSTEM without triggering Windows Defender.
Technical Background
The Cloud Files Mini Filter Driver (cldflt.sys) implements the infrastructure for placeholder file management — the mechanism that allows cloud sync clients to show files in Explorer as locally present even when they have not yet been downloaded. When a placeholder file is opened, the driver’s I/O request packet (IRP) handling coordinates with the registered cloud provider to trigger download.
MiniPlasma exploits a logic flaw in how the driver handles concurrent IRP operations on the same placeholder object. By racing two operations — a property write and a handle duplication — the exploit causes the driver to operate on an object handle with elevated privileges that outlive the context in which they were granted. The resulting handle can be used to write to kernel memory with SYSTEM-level access.
The exploit requires no user interaction beyond execution of the attacker’s payload and completes in approximately 200–400 milliseconds on test systems.
Who Is Affected
Any Windows system where the Cloud Files Mini Filter Driver is loaded and active — which is the default state on all modern Windows installations. The driver is present and enabled regardless of whether the user has an active cloud sync service configured; it is loaded as part of the Windows shell infrastructure.
Confirmed affected versions:
- Windows 10 versions 21H2 and 22H2 (fully patched as of May 2026)
- Windows 11 versions 23H2 and 24H2 (fully patched)
- Windows Server 2022 (fully patched)
- Windows Server 2025 (fully patched)
Windows Server 2019 behaviour is reported to differ in ways that affect reliability of the exploit, but it is not confirmed unaffected.
Exploitation Conditions
The vulnerability requires:
- Local code execution as a standard (non-administrative) user
- The Cloud Files Mini Filter Driver to be loaded (default on all affected versions)
It does not require:
- Any cloud sync service to be configured or logged in
- User interaction
- Network connectivity
This makes MiniPlasma an effective second-stage payload following any initial access that yields code execution as a standard user — malicious documents, browser exploits, phishing, or insider access.
Current Status and Recommended Actions
Microsoft has not issued a patch or an out-of-band advisory as of 25 May. The MSRC received notification through coordinated disclosure, but the patch timeline is unknown.
In the absence of a patch, defenders should:
- Restrict execution of arbitrary user-mode code via AppLocker or Windows Defender Application Control (WDAC) policies — MiniPlasma requires execution of attacker-controlled code at the standard-user level
- Monitor for suspicious SYSTEM token impersonation using Windows Event ID 4672 (special logon with sensitive privileges) from unexpected processes
- Deploy Microsoft’s Attack Surface Reduction (ASR) rules to reduce initial access vectors that would typically precede a local privilege escalation
- Monitor
cldflt.sysIRP operations if your EDR exposes kernel IRP telemetry — unusual concurrent IRP patterns on placeholder file objects are an indicator - Subscribe to Microsoft’s MSRC Security Update notifications to receive the patch immediately when released
The public availability of a working PoC accelerates the exploitation timeline. Threat actors who can achieve initial user-level access on Windows environments will rapidly integrate MiniPlasma for privilege escalation.
Share this article