Windows cldflt.sys Zero-Day: MiniPlasma Kernel LPE
An unpatched local privilege escalation (LPE) zero-day named 'MiniPlasma' has been identified affecting the Windows Cloud Files Mini Filter Driver (cldflt.sys), enabling pre-authenticated local users to obtain root/SYSTEM-level execution; this article provides registry audits and event log hunting scripts.
On this page 0% read
Executive Summary
An unpatched local privilege escalation (LPE) zero-day vulnerability, publicly tracked as “MiniPlasma”, has been disclosed affecting the Windows Cloud Files Mini Filter Driver (cldflt.sys) Chaotic Eclipse.
The exploit enables a pre-authenticated, low-privilege local user to execute arbitrary shell commands with elevated SYSTEM privileges, bypassing all current Windows 11 and Windows Server 2022 access controls. The threat actor/security researcher known as Chaotic Eclipse released functional proof-of-concept exploit code on May 15, 2026. This post details the technical mechanics, blast radius, and a robust Python script to detect driver configuration anomalies and local exploit signatures.
Key Facts
vulnerability_id: "MiniPlasma"
cve: "pending_microsoft_assignment"
vendor: "Microsoft"
product: "Windows Cloud Files Mini Filter Driver (cldflt.sys)"
first_disclosed: "2026-05-15"
vulnerability: "Local privilege escalation via Windows cldflt.sys driver memory corruption"
cwe: ["CWE-269", "CWE-119", "CWE-787"]
affected_products: ["Windows 10", "Windows 11", "Windows Server 2019", "Windows Server 2022"]
driver_file: "cldflt.sys"
exploitation_status: "active_exploit_publicly_available"
zero_day_status: "confirmed_unpatched_zero_day"Source Confidence & Evidence Mapping
- confirmed: Chaotic Eclipse repository releases fully functional LPE exploit code targeting
cldflt.syskernel routines on Windows 11 Chaotic Eclipse. - confirmed: Multiple independent security research reports verify unauthenticated LPE to
NT AUTHORITY\SYSTEMon fully-patched Windows Server and desktop environments Malwarebytes. - unclear: Microsoft has acknowledged early triage reports, but an official CVE identifier and patch release timeline remain unconfirmed as of late May 2026.
Impact Determination
| Classification | Criteria | Required evidence | Remediation trigger | Closure condition |
|---|---|---|---|---|
| Confirmed compromise | System event logs, process creation logs, or kernel telemetry show unexpected child processes spawned by driver threads or cldflt.sys interfaces with SYSTEM credentials. | Process execution telemetry showing highly privileged shells (cmd.exe, powershell.exe) with parent process execution context linked to the Cloud Files service. | Quarantine the host, initiate incident response, and capture active memory dumps. | Perform a full system wipe, rotate compromised host credentials, and apply future official Microsoft security updates. |
| Presumed exposed | The firewall or endpoint runs a standard Windows installation with cldflt.sys loaded and active in the mini-filter registry space. | Registry query indicating the CldFlt service is set to start automatically (Start = 2 or Start = 1). | Restrict local non-admin login permissions and implement strict endpoint detection rules. | The official Microsoft patch is successfully deployed and the driver is updated. |
| Potentially exposed | A system runs Windows desktop or server OS, but the active state of the Cloud Files driver has not been audited. | Asset records identifying active Windows hosts without registry start-type verification. | Execute the registry and driver load audit script. | Confirm if the driver is not loaded, disabled, or if the asset has been updated. |
| Not exposed | The cldflt.sys driver service is completely disabled or uninstalled. | Registry verify showing CldFlt service Start type is disabled (Start = 4). | None for this zero-day. | Negative configuration verification is recorded. |
Timeline
- 2026-05-15: Researcher Chaotic Eclipse releases functional zero-day POC code for MiniPlasma on public repositories Chaotic Eclipse.
- 2026-05-20: Working exploits circulate in active hacker forums and dark web channels Malwarebytes.
- 2026-05-26: Microsoft continues triage analysis for a patch release under a pending CVE assignment.
What Happened
The MiniPlasma exploit targets input buffer parsing within the kernel filter callbacks inside cldflt.sys. By initiating custom I/O Control (IOCTL) codes via the Cloud Files API interface, a low-privilege user causes an out-of-bounds write inside the driver’s kernel pool memory. This enables the attacker to overwrite target thread tokens and execute a spawned sub-process with NT AUTHORITY\SYSTEM privileges on the affected host.
Technical Analysis
The Cloud Files driver is loaded by default in standard Windows 10/11 installations to facilitate cloud-backed file access (OneDrive, etc.). Because the driver runs in kernel space (ring 0), any memory corruption inside its IOCTL routines immediately compromises the host OS kernel.
Affected Assets and Blast Radius
asset_selectors:
- "cldflt.sys"
- "CldFlt"
- "Windows Cloud Files"
highest_value_assets:
- "Windows endpoints running with local non-admin developer accounts"
- "Active Directory domain-joined Windows Server instances exposing terminal services"
credentials_and_data_at_risk:
- "Host-level system administrative access"
- "Cached Active Directory domain credentials"
- "Local registry secrets and SAM hashes"Indicators And Detection Selectors
vulnerabilities: ["MiniPlasma"]
driver_identifiers: ["cldflt.sys"]
telemetry_selectors:
- "CldFlt"
- "cldflt.sys"
- "miniplasma"
- "Chaotic Eclipse"Detection and Hunting
This hunting script audits Windows registry exports (or live registry hives if run locally) and system event logs to check if the Cloud Files driver is active, and scans for known MiniPlasma process spawning signatures:
#!/usr/bin/env python3
import json
import os
import re
import sys
from pathlib import Path
ROOT = Path(os.environ.get("ROOT", sys.argv[1] if len(sys.argv) > 1 else ".")).resolve()
TELEMETRY_DIR = Path(os.environ.get("TELEMETRY_DIR", "telemetry-export")).resolve()
OUT = Path(os.environ.get("OUT", "hp-windows-miniplasma-scope")).resolve()
VULN_ID = "MiniPlasma"
DRIVER_NAME = "cldflt.sys"
def read_text(path):
try:
return path.read_text(encoding="utf-8", errors="ignore")
except Exception:
return ""
OUT.mkdir(parents=True, exist_ok=True)
findings = {
"driver_status": [],
"exploit_indicators": []
}
# 1. Audit Registry Exports for CldFlt Driver Status
# We search for registry exports containing the service registration for CldFlt
for reg_file in ROOT.rglob("*.reg"):
content = read_text(reg_file)
if "Services\\CldFlt" in content:
# Check start type: Start = 2 (Auto), 1 (System), 3 (Demand), 4 (Disabled)
start_match = re.search(r'"Start"=dword:0000000([1-4])', content)
start_type = start_match.group(1) if start_match else "unknown"
status_map = {
"1": "System Start (Enabled)",
"2": "Automatic Start (Enabled)",
"3": "Demand Start (Exposed)",
"4": "Disabled (Protected)"
}
findings["driver_status"].append({
"file": str(reg_file),
"service": "CldFlt",
"start_value": start_type,
"status": status_map.get(start_type, "unknown"),
"exposed": start_type in {"1", "2", "3"}
})
# 2. Audit Event Logs / Telemetry Exports for Exploit Signatures
# Target anomalies: process creations by services or unexpected parents containing 'miniplasma'
# Or Windows System Event Log showing cldflt.sys driver crashes
for path in ROOT.rglob("*"):
if not path.is_file() or any(part in {".git", "node_modules"} for part in path.parts):
continue
if path.suffix in {".log", ".txt", ".json", ".evtx", ".csv"}:
body = read_text(path)
# Search for explicit 'miniplasma' execution strings
mp_match = re.search(r"\bminiplasma\b", body, re.IGNORECASE)
# Search for driver crash or system crash signatures linked to cldflt.sys
crash_match = re.search(r"cldflt\.sys.*error|cldflt\.sys.*failed|driver.*cldflt\.sys", body, re.IGNORECASE)
# Search for suspicious SYSTEM shell creations with empty or service parent contexts
shell_match = re.search(r"parent_process.*services\.exe.*cmd\.exe.*user.*SYSTEM", body, re.IGNORECASE)
if mp_match or crash_match or shell_match:
findings["exploit_indicators"].append({
"file": str(path),
"indicators_found": [
"MiniPlasma binary match" if mp_match else None,
"Cloud Files driver exception log" if crash_match else None,
"Suspicious SYSTEM shell execution" if shell_match else None
],
"details": (mp_match.group(0) if mp_match else "") + (crash_match.group(0) if crash_match else "")
})
findings["exploit_indicators"] = [x for x in findings["exploit_indicators"] if any(x["indicators_found"])]
with open(OUT / "findings.json", "w") as f:
json.dump(findings, f, indent=2)
print(f"[{VULN_ID} Audit Complete] Findings saved to: {OUT / 'findings.json'}")Remediation & Credential Rotation Plan
Containment & Mitigation
As there is no official patch available from Microsoft:
- Disable the Cloud Files Driver: If the OneDrive or Cloud Files syncing feature is not strictly required on servers or highly secure workstations, disable the driver immediately via the registry:
- Command:
reg add HKLM\System\CurrentControlSet\Services\CldFlt /v Start /t REG_DWORD /d 4 /f - Reboot the host to unload
cldflt.sysfrom kernel space.
- Command:
- Restrict Local Execution: Block the execution of unverified binaries in user-writable directories (e.g.
C:\Users\*\AppData\Local\Temp) using AppLocker or Software Restriction Policies.
Eradication & Recovery
- Apply Future Microsoft Patches: Monitor Microsoft’s Security Update Guide closely for the upcoming
cldflt.sysdriver vulnerability patch. - Rotate Exposed Secrets: If a host is confirmed compromised via the MiniPlasma exploit, assume all local administrative credentials and active domain session tokens are stolen. Perform a full credential rotation across the domain for any accounts exposed to the endpoint.