A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.

• The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
• Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
• The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.

• The exploit reportedly abuses:
  • Weak access validation
  • Registry interactions
  • Undocumented Windows APIs
  • Logic flaws in the cloud synchronization subsystem

How enterprise will address the risk

Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.

The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).

The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.

The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.

Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .

Sources: Windows MiniPlasma Zero-Day Exposes SYSTEM Access Risk