# Full System Control in a Few Steps. New 0-Day in Windows. And It Won't Be Patched Until June 9 12:58 / June 4, 2026 4338 Hackers are already exploiting Windows via MiniPlasma. A dangerous vulnerability dubbed MiniPlasma has been discovered in Windows and is already being exploited in the wild. The flaw allows an attacker to gain SYSTEM-level privileges, effectively granting full control over the computer. Microsoft will release a fix on June 9. Kaspersky Lab reported the vulnerability. Over the past two months, an anonymous security researcher known as Nightmare Eclipse, also called Chaotic Eclipse, has publicly disclosed six Windows vulnerabilities and immediately released ready-to-use exploit code. Microsoft was not notified in advance, leaving the company with no time to prepare patches prior to the public disclosure. The most dangerous of the disclosed flaws is MiniPlasma. It is linked to an older issue, CVE-2020-17103 (CVSS 2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C — 7.2 (High)), which was considered patched back in 2020. However, fully updated Windows 11 systems, as well as Windows Server 2022 and Windows Server 2025, remain vulnerable to this attack vector. Like CVE-2020-17103, the new issue affects the Cloud Filter driver and the HsmOsBlockPlaceholderAccess procedure. This is a local privilege escalation attack. The attacker initially requires access to the system, but after successfully exploiting MiniPlasma, they can elevate to the highest privilege level. Real-world attacks using MiniPlasma have been observed since April 10. The published proof-of-concept code increases the risk of further attacks, as the vulnerability can now be exploited not only by advanced threat actors but also by less sophisticated attackers. Kaspersky Lab outlined the indicators to detect MiniPlasma exploitation attempts: symbolic links are created in the registry key HKU.DEFAULT\Software\Policies\Microsoft\CloudFiles\BlockedApps, the wermgr.exe file appears outside standard system directories, and system files or their mimics are launched from atypical folders. An additional indicator is the NtApiDotNet library: in the PoC code, it was used to interact with low-level Windows registry functions. Special attention should be paid to modifications of the CloudFiles\BlockedApps registry key, the execution of the \Microsoft\Windows\Windows Error Reporting\QueueReporting scheduled task, the appearance of wermgr.exe outside the C:\Windows\System32 and C:\Windows\SysWOW64 directories, as well as any processes spawned via wermgr.exe. Until the patch is released, administrators are advised to closely monitor suspicious registry changes, non-standard execution of system files, and unusual activity from the Windows Error Reporting service. #MiniPlasma #Windows #0day #privilege #Microsoft #Kaspersky #cybersecurity #exploit #Windows11 #WindowsServer #NightmareEclipse #CloudFilter #SYSTEM #security

Researcher demonstrates how adversaries can bypass community GreenPlasma/MiniPlasma detection rules through simple process cloning, exposing critical flaws in string-based detection logic. Key technical details: • GreenPlasma exploits UAC desktop switching by pre-planting symbolic links at \Sessions\<N>\BaseNamedObjects\CTF.AsmListCache.FMPWinlogon<N> • SYSTEM process follows malicious symlink during Winlogon desktop transition, granting attacker handle to SYSTEM memory • Community rules targeting conhost.exe easily bypassed by copying binary to %APPDATA%\conthehost.exe - signature remains valid • ADE3-01 Process Cloning bug affects string-matching rules in Splunk Security Content and Cortex XDR platforms More robust detection focuses on registry artifacts: • Monitor volatile REG_LINK creation in CloudFiles\BlockedApps key paths • Alert on SymbolicLinkValue pointing to Policies\System within 10-minute window • Avoid process.name, binary hash, or parent process filtering Hunt for REG_LINK registry keys with SymbolicLinkValue data containing "Policies\System" - these artifacts show better signal-to-noise ratio than process-based indicators. #DFIR_Radar

Confirmed that miniplasma works on Win11 22H2-25H2 (fully patched). Pretty cool seeing that system shell come in. 😎 Note - fails on 21H2. Seems like somewhere on 22H2, the CloudFiles key owner got set to the calling user, but on 21H2, it was set to Administrators.

Our team confirms the publicly released MiniPlasma exploit for CVE-2020-17103 can elevate a standard Windows user to SYSTEM on fully patched Windows 11 systems. In our testing, Application Allowlisting prevents execution of the exploit payload and remains one of the most effective mitigations against this class of attack. Until an official fix is available, organizations should monitor for attacks by configuring EDR to monitor for modifications to: \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* and \Registry\User\.DEFAULT\Volatile Environment* The exploit targets the Windows Cloud Filter driver (cldflt.sys) and appears to revive a vulnerability originally reported in 2020. vimeo.com/1193389530

The core technique (what the PoC actually does): 1. Abuses Cloud Files policy keys (HKCU\Software\Policies\Microsoft\CloudFiles) with a volatile REG_OPTION_CREATE_LINK SymbolicLinkValue pointing to the real Policies\System key. 2. Uses SetEntriesInAcl TreeSetNamedSecurityInfo to grant Everyone GENERIC_ALL, then resets DACLs. 3. Repeatedly calls CfAbortOperation (cldapi.dll) to force re-initialization. 4. The result: when CTFMON later creates its section object, it lands in a location the low-privileged user can now influence.

From Document Management to AI-powered Generation and Processing, CloudFiles showcased end-to-end automation at #AgentforceTour NYC. Explore more: docs.cloudfiles.io/qU7Tpp8AD… #sponsored

CloudFiles is bringing End-to-End Document Automation to #AgentforceTour NYC. Manage, generate, and process documents with AI inside Salesforce. See it live: docs.cloudfiles.io/qU7Tpp8AD… #sponsored

SSD Advisory – cldflt Heap-based Overflow (PE) #SSDAdvisory #HeapBasedOverflow #CloudFiles #MicrosoftWindows #CVE-2024-30085 ssd-disclosure.com/ssd-advis…

cloudfiles-secure[.]io 178.215.236[.]119 app.cloudfiles-secure[.]io 188.119.113[.]59

Thriving Startups on the Salesforce Platform!! Learn how startups like @AppEQai and @CloudFiles leverage AI to drive growth and innovation. Insights from founders & @SanketAtal of @SalesforceIN. Read more: livemint.com/ai/ai-in-action… Partner @salesforce #AI #Salesforce #Startups #Innovation #BusinessGrowth #MintAI

✨Platinum Sponsor Alert✨ Let's welcome @cloudfilesapp to #FLD24 as a Platinum Sponsor for this year's event! CloudFiles is an all-in-one solution for Document Management, combining Document Generation, Automation, and AI capabilities. Learn more: fldreamin.com/2024sponsors/2…

We had a blast at #SalesforceTour NYC! Thanks for visiting the CloudFiles booth to explore their document automation solutions for Salesforce. Schedule a personalized demo to see how @CloudFilesApp enhances your Salesforce experience. Book now: sforce.co/44sfkvc #ad

When you realize you’ll never run out of space on your computer again thanks to Sync CloudFiles.

Hydrate or dehydrate your documents with Sync CloudFiles beta for Windows. #Devjokes

HubSpot Email Attachment Tracking Dashboard for Marketers | Master HubSpot in 10mins with CloudFiles #PPCAdvertising #MicrosoftAds #PPCMarketing #PPCTips [Video] Welcome to our tutorial on maximizing the impact of your HubSpot email campaigns with… dlvr.it/T0fMtx

#Cloud #CloudFiles خدمات مشاركة الملفات سحابيا linktr.ee/xq55cloud

🌟 Our webinar on Mastering Salesforce - SharePoint Integration with CloudFiles was a success! Thank you all for supporting us. Stay tuned for more enlightening sessions! Subscribe to our mailing list here to get updated with our next webinar - cloudfiles.io/webinars

#CloudFiles 🌩️🔮

#CloudFiles. Cc. @mxnachiso @wavvgod 💾🌩️

#CloudFiles Cc. @Chigo_07 @wavvgod 🌴🌩️