MiniPlasma Windows Cloud Filter LPE exploitation

Summary

MiniPlasma is the public name Kaspersky used for a critical Windows local privilege-escalation exploit that abuses the Cloud Filter driver / HsmOsBlockPlaceholderAccess path. Kaspersky says the technique resembles CVE-2020-17103, a Windows Cloud Files Mini Filter Driver elevation-of-privilege issue that was believed to have been patched in 2020, but the newly published exploit path still affects fully updated Windows 11, Windows Server 2022, and Windows Server 2025 systems at the time of Kaspersky's June 2026 writeup.

Kaspersky attributes the public exploit release to the anonymous researcher Nightmare Eclipse / Chaotic Eclipse, who reportedly released six Windows vulnerabilities with ready-to-use exploits without prior Microsoft coordination. Kaspersky cites Huntress Labs reporting that attacks exploiting earlier vulnerabilities from the same public release set had been observed in the wild since 2026-04-10, and says Microsoft planned a MiniPlasma patch for 2026-06-09.

Tags

• ops
• operations
• Windows
• MiniPlasma
• Cloud Filter driver
• Cloud Files Mini Filter Driver
• CVE-2020-17103
• local privilege escalation
• LPE
• zero-day
• public exploit
• SYSTEM
• active exploitation
• Kaspersky

Why this matters

• The exploit is a local privilege-escalation path to SYSTEM, so it is most dangerous as a second-stage primitive after phishing, malware execution, RMM abuse, web-shell access, or any other low-privilege foothold.
• The reported affected set includes current enterprise platforms, not only legacy systems: Windows 11 plus Windows Server 2022 and 2025.
• Public ready-to-use exploit code compresses the defender response window; even if MiniPlasma itself was pending a Microsoft patch, related vulnerabilities from the same release set were reportedly already exploited.
• The most durable defensive value is behavioral: registry symbolic-link creation under Cloud Files policy paths, suspicious wermgr.exe placement, and Windows Error Reporting scheduled-task execution are more useful than waiting for a final CVE label.

Reported exploitation shape

• Bug class / component: Kaspersky ties MiniPlasma to the Windows Cloud Filter driver and the HsmOsBlockPlaceholderAccess routine, with similarity to CVE-2020-17103.
• Privilege outcome: local elevation to SYSTEM.
• Public-release context: six Windows vulnerabilities with ready-to-use exploits were publicly released by Nightmare Eclipse / Chaotic Eclipse without coordinated disclosure, according to Kaspersky.
• Patch window: Kaspersky reported on the flaw before Microsoft's planned 2026-06-09 patch date.
• Detection anchors: Kaspersky's detections focus on registry symbolic links, wermgr.exe appearing or executing from non-standard paths, system-binary imitation outside normal directories, and artifacts from James Forshaw's NtApiDotNet library used by the analyzed PoC.

Defender heuristics

• Prioritize the June 2026 Microsoft security update for Windows endpoints and servers once available; treat externally reachable workloads, jump hosts, build runners, and RMM-managed hosts as high priority because LPE turns low-privilege code execution into full host control.
• Hunt Windows registry telemetry for symbolic-link creation under HKU\.DEFAULT\Software\Policies\Microsoft\CloudFiles\BlockedApps, especially values or details containing SymbolicLinkValue.
• Monitor Task Scheduler Operational Event ID 110 for execution of \Microsoft\Windows\Windows Error Reporting\QueueReporting near suspicious process, registry, or file events.
• Hunt process creation for wermgr.exe outside standard Windows paths such as C:\Windows\System32\, C:\Windows\SysWOW64\, C:\Windows\WinSxS\, C:\Windows\servicing\, C:\$WINDOWS.~BT\, and C:\Windows\SoftwareDistribution\.
• Investigate processes spawned by wermgr.exe, especially child processes launched from user-writable, temporary, download, build, or service working directories.
• Look for system binaries or lookalike filenames created or executed from non-standard locations, and correlate with recent low-privilege initial-access events.
• If exploitation is suspected, preserve registry hives, Windows Event Logs, EDR process trees, scheduled-task logs, and file-system metadata before remediation.

Related pages

• PAN-OS GlobalProtect CVE-2026-0257 exploitation
• Android Framework CVE-2025-48595 exploitation
• Linux Kernel CVE-2022-0492 cgroup release_agent exploitation
• Microsoft Defender CVE-2026-41091 / CVE-2026-45498 exploitation

Sources

• Kaspersky Securelist: https://securelist.com/tr/mini-plasma-vulner/120099/
• NVD CVE-2020-17103 record: https://nvd.nist.gov/vuln/detail/CVE-2020-17103