Back to Intelligence

MiniPlasma Zero-Day (cldflt.sys): Detection and Mitigation for Windows LPE

SA
Security Arsenal Team
May 18, 2026
5 min read

Author: Senior Security Consultant, Security Arsenal
Date: May 21, 2026

Introduction

A critical privilege escalation vulnerability, codenamed MiniPlasma, has been disclosed by security researcher Chaotic Eclipse. This flaw actively bypasses existing security controls on fully patched Windows systems by exploiting the Windows Cloud Files Mini Filter Driver (cldflt.sys).

This vulnerability is particularly dangerous because it allows a standard user to execute code in the context of NT AUTHORITY\SYSTEM. While there is no evidence of in-the-wild exploitation at this time, the release of a proof-of-concept (PoC) significantly lowers the barrier for threat actors and malware authors to incorporate this technique into their payloads. Defenders must act immediately to assess exposure and implement mitigations, as a patch is not yet available.

Technical Analysis

  • Affected Component: cldflt.sys (Windows Cloud Files Mini Filter Driver). This driver is commonly used for features like OneDrive Files On-Demand and Cloud Filter provider integration.

  • Vulnerability Class: Local Privilege Escalation (LPE).

  • Affected Platforms: Windows 10, Windows 11, and Windows Server versions where the Cloud Files driver is present and active.

  • CVE Status: Unassigned / Zero-Day as of this reporting.

  • Exploitation Mechanics: The vulnerability stems from improper handling of I/O request packets (IRPs) or specific IOCTL interactions within the cldflt.sys driver. An attacker with low-privilege access can invoke a specific sequence of operations that triggers a memory corruption or logic flaw within the kernel-mode driver.

    Attack Chain:

    1. Attacker gains initial access (e.g., phishing, web shell) with standard user privileges.
    2. Attacker executes the MiniPlasma PoC or a weaponized variant.
    3. The exploit targets \Device\CldFlt or interacts directly with cldflt.sys.
    4. Successful exploitation results in the execution of a shell or command with SYSTEM privileges.

Detection & Response

Given the absence of a CVE and a patch, detection relies heavily on identifying suspicious interactions with the vulnerable driver and unexpected service modifications. Below are high-fidelity detection rules for your SIEM and EDR.

Sigma Rules

YAML
---
title: MiniPlasma - Suspicious Modification of Cloud Filter Driver Service
id: a9b2c3d4-5e6f-7890-1234-56789abcdef0
status: experimental
description: Detects modifications to the registry keys associated with the cldflt.sys driver (Cloud Files Filter). Attackers may alter service configuration to facilitate exploitation or persistence.
references:
  - https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.privilege_escalation
  - attack.t1543.003
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains: 'SYSTEM\CurrentControlSet\Services\cldflt'
  filter_legit:
    Image|endswith:
      - '\svchost.exe'
      - '\services.exe'
      - '\mmc.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrator reconfiguration of cloud sync services
level: high
---
title: MiniPlasma - Suspicious Handle Access to Cloud Filter Device
id: b1c2d3e4-5f6a-7890-1234-56789abcdef1
status: experimental
description: Detects non-system processes opening a handle to the Cloud Filter device (\Device\CldFlt) with suspicious access masks, indicative of exploit attempt.
references:
  - https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetObject|contains: '\Device\CldFlt'
    GrantedAccess|contains:
      - '0x1f0fff'
      - '0x1f1ff'
      - '0x1410' 
  filter_system:
    SubjectUserName: 'SYSTEM'
  condition: selection and not filter_system
falsepositives:
  - Legitimate backup software or cloud sync providers interacting with the driver
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for registry modifications to the cldflt service
RegistryEvent
| where TimeGenerated > ago(7d)
| where Key contains "Services\\cldflt"
| where Process !in ("svchost.exe", "services.exe", "mmc.exe", "powershell.exe", "cmd.exe") 
   or (Process in ("powershell.exe", "cmd.exe") and InitiatingProcessAccountSid !in ("S-1-5-18", "S-1-5-32-544"))
| project TimeGenerated, Computer, Key, Value, ValueType, Process, Account, InitiatingProcessFileName
| extend MITRE_Tactic = "Privilege Escalation", MITRE_Technique = "Create or Modify System Process"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes holding handles on the Cloud Filter device
SELECT 
  Pid,
  Name,
  Username,
  CommandLine,
  Handles.Name AS HandleName,
  Handles.GrantAccess AS AccessMask
FROM pslist()
  JOIN handles ON Pid = handles.Pid
WHERE HandleName =~ '\Device\CldFlt'
  AND NOT Username =~ 'SYSTEM'
  AND NOT Name =~ 'explorer.exe' -- Filter common noise, tune as needed

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Mitigation script for MiniPlasma (cldflt.sys) Zero-Day.
.DESCRIPTION
    This script checks the status of the Cloud Files Mini Filter Driver 
    and disables it to prevent privilege escalation attempts until a patch is released.
#>

Write-Host "[+] Checking status of cldflt service..."
$service = Get-Service -Name 'cldflt' -ErrorAction SilentlyContinue

if ($service) {
    if ($service.Status -eq 'Running') {
        Write-Host "[!] Service is currently Running. Stopping service..." -ForegroundColor Yellow
        Stop-Service -Name 'cldflt' -Force
    }
    
    Write-Host "[+] Setting service Startup Type to Disabled..."
    Set-Service -Name 'cldflt' -StartupType Disabled -ErrorAction Stop
    Write-Host "[SUCCESS] cldflt.sys driver disabled." -ForegroundColor Green
} else {
    Write-Host "[-] Service 'cldflt' not found on this system." -ForegroundColor Gray
}

# Verify state
Write-Host "[+] Verification:"
Get-Service -Name 'cldflt' -ErrorAction SilentlyContinue | Select-Object Name, Status, StartType

Remediation

As of May 21, 2026, there is no official patch from Microsoft for the MiniPlasma vulnerability. Security Arsenal recommends the following immediate actions:

  1. Disable the Vulnerable Driver: The primary mitigation is to disable the cldflt.sys driver. This driver is primarily used for Cloud Files integration (e.g., OneDrive Files On-Demand). Disabling it may impact cloud placeholder functionality but is necessary to prevent SYSTEM-level compromise.
    • Action: Run the PowerShell remediation script provided above or manually set the service to Disabled via services.msc.
  2. Audit Local Administrators: Ensure strict control over who has local administrator rights, as this exploit requires initial code execution on the target (though not necessarily admin rights).
  3. Endpoint Detection Rules: Deploy the provided Sigma rules to your SIEM/EDR immediately to detect attempts to interact with the driver.
  4. Monitor Vendor Advisories: Watch for Microsoft Security Advisory updates regarding CVE assignment and patch releases.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurewindows-0dayprivilege-escalationcldflt-sys

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action