MiniPlasma Exploit Grants System-Level Access on Windows
Picus Security has analyzed the MiniPlasma zero-day exploit, which leverages an older vulnerability to grant SYSTEM privileges on patched Windows 11 systems.
Cybersecurity firm Picus Security has published an analysis of a zero-day exploit dubbed MiniPlasma. This exploit, based on the previously identified CVE-2020-17103 vulnerability, allows attackers to gain SYSTEM-level privileges on Windows 11 and Server 2022/2025, even on systems that have been recently patched.
The research highlights that while the underlying vulnerability dates back to 2020, it has been rediscovered and repackaged. MiniPlasma exploits a flaw within the Windows Cloud Filter Driver, enabling an attacker to manipulate registry access. Specifically, it allows writing to the HKEY_USERS.DEFAULT hive, which is reserved for the system's highest privileges.
The core of the exploit relies on a race condition combined with thread token impersonation. An attacker can manipulate the system to attempt writing to a user's registry hive. However, by temporarily switching privileges, the exploit causes the operation to fail for the user's hive and instead succeed in modifying the SYSTEM hive, bypassing standard security checks.
Picus Security states that its platform can simulate MiniPlasma attacks. This capability allows organizations to test and verify that their security controls, such as endpoint detection and response (EDR) solutions, are capable of detecting and preventing such sophisticated threats in real-time.
The analysis underscores the ongoing need for robust security testing and monitoring, as previously discovered vulnerabilities can be weaponized in novel ways.