A working exploit for an unpatched Windows local privilege escalation flaw is publicly available on GitHub as of May 18, 2026. Any standard Windows user account can be elevated to SYSTEM on fully patched Windows 11 — including systems running the May 2026 Patch Tuesday updates. Microsoft has not acknowledged the issue or published an advisory.
What Happened
A security researcher known as Nightmare-Eclipse — the same researcher behind the YellowKey and GreenPlasma BitLocker zero-days disclosed in May 2026 — published a proof-of-concept exploit and source code on GitHub on May 13. The exploit, dubbed MiniPlasma, targets the cldflt.sys Cloud Filter driver and abuses how Windows handles the CfAbortHydration API in combination with undocumented registry key creation paths.
The researcher claims MiniPlasma is a regression of a vulnerability originally reported to Microsoft in 2020 and tied to CVE-2020-17103, which Microsoft declared fixed in December 2020. Testing on a fully patched Windows 11 Pro system running May 2026 Patch Tuesday updates confirmed the exploit opens a command prompt with SYSTEM privileges from a standard user account. The exploit does not appear to work on Windows 11 Insider Preview Canary builds, suggesting Microsoft may have made relevant changes to unreleased code.
Microsoft has published no advisory, patch, or acknowledgment of the issue as of publication. BleepingComputer and The Hacker News both confirmed the exploit works as described.
Why This Matters for Canadian Organizations
Windows is the dominant operating system across Canadian federal and provincial government, healthcare, financial services, and enterprise environments. An unpatched local privilege escalation with a public proof-of-concept is a direct accelerant for ransomware deployments, lateral movement, and credential harvesting campaigns. An attacker who gains a foothold through phishing, a web application vulnerability, or any other initial access vector can immediately use MiniPlasma to escalate to SYSTEM — bypassing endpoint detection rules tuned to block SYSTEM-level writes from known attack paths.
This flaw is especially relevant to Canadian organizations given the active threat landscape. CCCS advisories and the national cyber threat assessment have repeatedly flagged ransomware groups and state-sponsored actors targeting Canadian critical infrastructure, healthcare, and government. A SYSTEM-level PoC on every unpatched Windows machine accelerates the post-exploitation phase of any intrusion. Under PIPEDA, a breach resulting from failure to apply available protections — even in the absence of a vendor patch — carries compliance exposure once the issue becomes publicly known.
Windows Insider Preview and commercial patch timelines are separate, meaning organizations relying on standard Windows Update are not protected by changes already shipping in Canary builds.
What to Do
There is no Microsoft patch available. In the interim, security teams should prioritize the following: audit Windows environments for unauthorized local administrator or SYSTEM-level processes; tighten endpoint detection and response rules to flag cldflt.sys-related process creation chains and undocumented CfAbortHydration API calls; restrict interactive logon rights to reduce the pool of accounts from which a low-privileged attacker can trigger local execution; and monitor the CCCS advisory feed and Microsoft Security Response Center for a patch. Organizations running Windows Defender or Microsoft Sentinel should check whether detection content for MiniPlasma is available and deploy it immediately. Apply the May 2026 Patch Tuesday updates if not already done — they address other critical flaws even if MiniPlasma remains unpatched.
Source: BleepingComputer | The Hacker News
