MiniPlasma 0-Day: Windows SYSTEM Privilege Escalation via cldflt.sys

A high-impact Zero-Day vulnerability, codenamed MiniPlasma, has been disclosed by security researcher Chaotic Eclipse. This flaw enables Privilege Escalation to the SYSTEM level on fully patched Windows environments, bypassing current security mitigations. According to The Hacker News, the researcher has released a proof-of-concept (PoC) demonstrating the exploit’s efficacy, raising the immediate threat level for enterprise environments.

Analyzing the Windows Cloud Files Mini Filter Driver Vulnerability

The MiniPlasma exploit targets cldflt.sys, which is the Windows Cloud Files Mini Filter Driver. This specific driver is a core component of how Windows handles cloud-supported files, including services like OneDrive and other third-party cloud storage providers. It functions within the Windows Filter Manager framework, intercepting I/O requests to manage placeholder files and on-demand synchronization.

Because mini-filter drivers operate in kernel mode, any flaw that allows for memory corruption or improper handling of I/O Request Packets (IRPs) can lead to a complete compromise of the operating system. In the case of MiniPlasma, the vulnerability allows a low-privileged user to execute code with SYSTEM-level authority. This level of access is the highest possible on a Windows machine, granting an attacker the ability to disable security software, access sensitive data, and perform Lateral Movement across the network.

This discovery follows previous research by Chaotic Eclipse into similar flaws, such as YellowKey and GreenPlasma. The continued focus on cldflt.sys suggests a systemic weakness in how the Windows kernel handles cloud-integrated file systems. Unlike a typical CVE that might be addressed by the previous month’s cumulative updates, MiniPlasma remains unpatched, leaving systems exposed until Microsoft issues an emergency fix.

How to Detect cldflt.sys Exploit Activity

Detection is the primary line of defense while waiting for official remediation. Security SOC teams should prioritize identifying how to detect cldflt.sys exploit attempts by monitoring for anomalous kernel-mode transitions or suspicious calls to the Filter Manager.

One effective TTP for identifying this activity is monitoring for unexpected processes spawning from system services or high-privilege drivers. Additionally, EDR solutions should be configured to alert on unauthorized attempts to interact with cldflt.sys via unusual APIs. Analysts should also look for IoC patterns associated with Chaotic Eclipse’s PoC, specifically focusing on process hollowing or memory injection techniques that originate from user-mode cloud storage clients.

Assessing the MiniPlasma Zero-Day Remediation Steps

Until an official patch is released, administrators must implement MiniPlasma zero-day remediation steps to reduce their attack surface. Since the flaw resides in a driver necessary for cloud file functionality, simply disabling the driver may break critical business workflows like OneDrive syncing. However, in high-security environments, the following actions are recommended:

• Restrict Local Admin Access: Ensure the principle of least privilege is strictly enforced. While this is a Privilege Escalation flaw, limiting the initial entry points for attackers remains a fundamental defense.
• Enhanced SIEM Monitoring: Feed all EDR telemetry into a SIEM to correlate driver interactions with other suspicious behaviors, such as the use of MITRE ATT&CK techniques like T1068 (Exploitation for Privilege Escalation).
• Isolate High-Value Assets: For servers that do not require cloud file synchronization, consider disabling the Cloud Files Mini Filter Driver service to eliminate the vector entirely.

As the researcher has made the PoC public, the likelihood of integration into automated exploit kits or adoption by an APT group is high. Immediate vigilance is required to prevent widespread exploitation of this kernel-level flaw.