Microsoft Patched This Windows Bug in 2020—a Researcher Just Proved the Same Code Path Still Hands Out SYSTEM on a Fully Patched Windows 11 in May 2026

What Happened

On May 13, 2026, a researcher publishing under the handle Nightmare-Eclipse dropped a weaponized proof of concept on GitHub for a Windows local privilege escalation they named MiniPlasma. BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the May 2026 Patch Tuesday updates and confirmed it works. Running as a standard user account, the proof of concept opens a command prompt running as NT AUTHORITY\\SYSTEM.

The flaw is not in a fringe component. It is in cldflt.sys, the Windows Cloud Files Mini Filter driver. That driver is the kernel side of OneDrive's "Files On Demand" feature—the placeholder file mechanism that lets a Windows machine display a file as if it is local even when its content is sitting in OneDrive's cloud storage. Every modern Windows installation has cldflt.sys loaded the moment a user signs into OneDrive, and on enterprise images it is loaded whether or not the user has ever opened a OneDrive folder.

The 2020 Backstory

The vulnerability was first reported in September 2020 by James Forshaw of Google Project Zero. Microsoft assigned it CVE-2020-17103 and shipped a fix in the December 2020 Patch Tuesday. Forshaw's writeup at the time focused on the HsmOsBlockPlaceholderAccess routine and an undocumented CfAbortHydration API that the driver exposes to user mode. The original bug allowed a low privilege caller to manipulate registry key creation through the placeholder access path and escalate.

Nightmare-Eclipse's claim—and the part that turned this from a research curiosity into a live SOC problem—is that "the exact same issue ... is actually still present, unpatched." The December 2020 fix evidently closed one path into the vulnerable code but did not address the underlying behavior of the routine. When the researcher exercised the same logic through a slightly different API call sequence, the kernel was happy to oblige. The end state is what the 2020 bug produced: SYSTEM level write access from a standard user.

This is the worst class of regression. Microsoft did not ship a new feature that reintroduced the flaw. The original fix was incomplete from the start, and nobody caught it for five years.

What the Exploit Actually Does

The technical chain, distilled from BleepingComputer's reproduction:

1. The exploit creates a placeholder file in a directory under the user's control. Placeholders are the OneDrive Files On Demand stub representation—small metadata files that pretend to be the full thing.
2. It then invokes CfAbortHydration against the placeholder. Hydration is the OneDrive term for downloading the actual file content to fill the placeholder. Aborting it mid hydration leaves the driver in a state where its access control assumptions are wrong.
3. The driver, while in the wrong state, processes a follow up request through HsmOsBlockPlaceholderAccess that ultimately creates or modifies a registry key in HKLM space—the system level registry hive—even though the caller has no permission to write there.
4. The registry key payload is shaped to plant a value that the next privileged process to consult that key will read as a command to run. The proof of concept demonstrates a clean path from the registry write to a SYSTEM cmd.exe.

From an attacker's perspective, this is the perfect post initial access tool. Anything that gets even a low privilege foothold on a Windows machine—a phishing dropper, a malicious USB autorun, a compromised IDE plugin—can now escalate to SYSTEM with publicly available code. The proof of concept is short enough to embed inline in a larger payload, which is what attackers in the recent npm supply chain attacks are already known to do.

Why Microsoft Has Not Patched It Yet

As of publication, Microsoft has not issued a CVE for MiniPlasma. The current Patch Tuesday window closed on May 13—the same day the researcher dropped the proof of concept. The earliest realistic full fix is June 10, 2026, the next Patch Tuesday. Microsoft has the option to ship an out of band fix for cldflt.sys, but the company has shown a strong preference for keeping kernel mini filter driver changes inside the regular monthly cadence to avoid breaking OneDrive sync at scale.

The researcher's choice to skip coordinated disclosure—dropping a working exploit before reporting to Microsoft, as far as the public record shows—will reignite the same debate the security community has had after every researcher who decided that quiet disclosure was not getting results. The defensible argument is that the original 2020 patch was supposed to fix this, and waiting for Microsoft to fix it correctly in 2026 puts the burden on defenders to compensate for a vendor that did not check its own work. The counterargument is that the population of attackers who can weaponize the proof of concept is now substantially larger than the population of defenders who can mitigate it in the window before the patch.

What Defenders Can Actually Do This Week

There is no patch. The mitigations are all imperfect.

• Disable the Cloud Files Mini Filter driver where it is not needed. The driver is required for OneDrive Files On Demand. On servers, build agents, and developer workstations that do not use OneDrive sync, the driver can be unloaded. The setregistry command is fltmc unload cldflt from an elevated prompt. This is the cleanest mitigation but breaks OneDrive on workstations.
• Block known proof of concept binaries by hash. The Nightmare-Eclipse proof of concept compiles to a small executable that is now in every malware corpus. EDR and AV vendors are publishing signatures. Make sure your endpoint vendor's signature feed is current and that the rule set covers both the published binary and the typical reflective loader variants.
• Hunt for anomalous CfAbortHydration calls in process telemetry. Most Windows applications never touch the Cloud Files API directly—OneDrive itself does, and the OneDrive client process is the expected caller. Calls from any other process, especially short lived ones spawned by a user mode parent, are worth investigating.
• Restrict standard user write access to placeholder directories outside the user's profile. The exploit needs to create a placeholder somewhere the driver will accept it. Application allow listing rules that limit where standard users can create files will materially reduce the attack surface.
• Push the assumption all the way through your phishing posture. If MiniPlasma is one chain in a phishing dropper's playbook, then any successful phishing click on a corporate workstation is now reasonably presumed to end in SYSTEM. That should change how aggressively containment plays out after the initial detection.

The Bigger Pattern

MiniPlasma is the third Windows escalation chain published with a working exploit and no patch since the start of 2026. The same author who dropped three Defender zero days in 13 days last month wrote that the cadence of patches "is not keeping up with the research community's ability to find new bugs in old code." That observation now applies to old bugs in old code that were supposed to be fixed.

For organizations running Windows fleets at scale, the operational implication is that the canonical advice—"keep patches current"—has gotten less protective. Patches are still necessary. They are no longer sufficient. The next quarter of incident response work is going to be defined by post exploitation tooling against fully patched hosts, and the discipline around least privilege configuration, EDR coverage, and incident response timing matters more than the patch level does.

The bug is twenty one years younger than the FSB tooling we covered yesterday and the same lesson applies: do not assume the vendor finished the job in 2020. Verify.