A cybersecurity researcher has publicly released a proof-of-concept (PoC) exploit for a previously undisclosed Windows privilege escalation vulnerability, dubbed "MiniPlasma," that allows a local attacker to elevate from a standard user account to SYSTEM-level privileges on fully patched Windows 10 and Windows 11 systems. No patch is currently available, placing the flaw in zero-day territory.
What Is MiniPlasma?
MiniPlasma is a Windows kernel-level privilege escalation vulnerability discovered and named by an independent security researcher. According to the disclosure, the flaw stems from an improper access control issue within a core Windows subsystem component, allowing an attacker with local code execution to escalate to NT AUTHORITY\SYSTEM — the highest privilege level on a Windows machine.
Key characteristics of the vulnerability:
- Privilege level gained: NT AUTHORITY\SYSTEM (full control of the operating system)
- Affected systems: Fully patched Windows 10 (22H2) and Windows 11 (24H2) confirmed
- Exploit requirement: Local code execution — the attacker must already have a foothold on the machine
- Patch status: No official Microsoft patch available at time of disclosure
- PoC availability: Proof-of-concept exploit code released publicly by the researcher
How Privilege Escalation Exploits Are Weaponized
While MiniPlasma requires an existing foothold — meaning it cannot be exploited remotely on its own — local privilege escalation (LPE) vulnerabilities are among the most critical bugs in an attacker's toolkit. In real-world attacks, LPE flaws are typically chained after an initial compromise vector:
- Phishing or malicious download — An attacker tricks a user into executing a payload, gaining access at the user's privilege level.
- LPE exploit — A tool like MiniPlasma elevates that access to SYSTEM.
- Lateral movement and persistence — With SYSTEM privileges, the attacker can disable endpoint detection tools, extract credentials from LSASS, install rootkits, or move across the network unchallenged.
This chain is exactly what ransomware operators and nation-state actors rely on when deploying post-exploitation frameworks like Cobalt Strike, Sliver, or Havoc.
Researcher's Decision to Publish PoC
The disclosure of MiniPlasma follows what appears to be a breakdown in the coordinated vulnerability disclosure process. The researcher cited frustration with Microsoft's bug bounty program timeline and what they described as inadequate acknowledgment of the report's severity as reasons for releasing the PoC publicly without a patch in place.
This is not an isolated incident. Researchers have increasingly adopted a "full disclosure" stance against major vendors when they feel reports are being deprioritized, echoing the frustrations that led to similar public drops of the YellowKey and GreenPlasma Windows zero-days earlier in May 2026.
The researcher did note that they reported the flaw to Microsoft prior to public disclosure but chose to publish after the coordination window elapsed without a committed patch timeline.
Microsoft's Response
At the time of writing, Microsoft has not issued an official public statement acknowledging MiniPlasma or committing to a patch timeline. The company typically addresses zero-days either through an out-of-band update or by including a fix in the next Patch Tuesday cycle.
Given that Microsoft's May 2026 Patch Tuesday addressed 120 vulnerabilities without any actively exploited zero-days, the next scheduled update window would be in June.
Mitigation Recommendations
Until an official patch is released, organizations should consider the following mitigations to reduce exposure:
- Enforce least-privilege access — Ensure standard user accounts cannot install software or modify system configurations. Reducing the attack surface for LPE exploits limits their impact.
- Monitor for suspicious SYSTEM-level process spawning — Establish baselines for processes legitimately running as SYSTEM and alert on deviations, particularly short-lived child processes.
- Audit local administrator accounts — Disable or audit accounts that have unnecessary local admin rights, as SYSTEM elevation is only meaningful when an attacker already has local access.
- Deploy endpoint detection and response (EDR) — Modern EDR solutions with kernel visibility can detect privilege escalation attempts through behavioral analysis, even for novel exploits.
- Enable Windows Defender Attack Surface Reduction (ASR) rules — ASR rules can block many of the execution techniques used to achieve the initial foothold that LPE exploits depend on.
- Apply Windows security baselines — Microsoft's Security Compliance Toolkit baselines configure many hardening settings that reduce the effectiveness of kernel exploitation techniques.
Broader Pattern of Windows Zero-Day Disclosures in 2026
MiniPlasma arrives in a period of elevated Windows zero-day activity. Earlier in May, researcher "securityreviewer" dropped PoC code for YellowKey and GreenPlasma, two Windows flaws enabling BitLocker bypass and ctfmon.exe privilege escalation respectively. In April, a Windows RRAS RCE flaw received an emergency out-of-band hotpatch. The frequency of public zero-day drops suggests growing researcher frustration with vendor response timelines, a trend that security teams should incorporate into their threat modeling.
Organizations running Windows endpoints should monitor Microsoft's Security Update Guide and apply any emergency patches within hours of release given the current threat landscape.