A Windows kernel-level privilege escalation zero-day dubbed MiniPlasma has been publicly disclosed by security researcher "Chaotic Eclipse" — the same researcher behind the recently dropped YellowKey and GreenPlasma Windows vulnerabilities. A working proof-of-concept (PoC) exploit is publicly available, and Microsoft has not yet issued a patch, leaving fully patched Windows 10 and Windows 11 systems exposed to local privilege escalation to SYSTEM-level access.
What Is MiniPlasma?
MiniPlasma is a Windows kernel privilege escalation vulnerability that allows a local attacker with standard user access to elevate to NT AUTHORITY\SYSTEM — the highest privilege level available on a Windows endpoint. According to the disclosure by Chaotic Eclipse, the flaw originates from an improper access control weakness in a core Windows subsystem component.
Key characteristics:
- Privilege escalation target: NT AUTHORITY\SYSTEM
- Affected systems: Windows 10 (22H2) and Windows 11 (24H2), fully patched as of May 2026
- Exploit requirement: Local code execution — an initial foothold is required
- Patch status: No official Microsoft patch available
- PoC: Publicly released by the researcher
The Researcher Behind the Disclosure
Chaotic Eclipse has been on a disclosure spree in May 2026. Prior to MiniPlasma, the researcher publicly dropped PoC exploits for:
- YellowKey — a Windows BitLocker bypass enabling access to encrypted drives
- GreenPlasma — a ctfmon.exe-based privilege escalation to SYSTEM
The pattern mirrors frustration with Microsoft's vulnerability response process. Chaotic Eclipse cited insufficient acknowledgment of severity and a lack of committed patch timelines as reasons for opting for full public disclosure rather than coordinated disclosure. The researcher stated the flaws were reported to Microsoft before going public, but the coordination window expired without a committed remediation date.
Why MiniPlasma Matters in Attacks
While MiniPlasma requires local access — limiting who can exploit it remotely — local privilege escalation vulnerabilities are a cornerstone of modern attack chains:
Initial foothold (phishing, drive-by, supply chain)
→ Code execution at user privilege level
→ MiniPlasma LPE → SYSTEM access
→ Credential dumping (LSASS), EDR disablement, ransomware deployment
With SYSTEM-level access, attackers can:
- Dump LSASS credentials for lateral movement
- Disable endpoint detection and response (EDR) tools
- Install kernel-level rootkits for persistent, invisible access
- Deploy ransomware without user consent prompts
- Exfiltrate data from protected system directories
Ransomware operators and nation-state actors routinely chain initial access exploits with LPE vulnerabilities to maximize the impact of a breach. A publicly available PoC lowers the bar significantly — commodity threat actors no longer need to independently discover or purchase the exploit.
Microsoft's Response
As of the time of this writing, Microsoft has not published an official statement acknowledging MiniPlasma or committed to a patch timeline. The May 2026 Patch Tuesday addressed 120 vulnerabilities with no zero-days, meaning the next scheduled patch window is June 2026's Patch Tuesday — unless Microsoft releases an out-of-band emergency update.
Given the public availability of a working PoC and the severity of SYSTEM access, organizations should not wait for the scheduled patch cycle.
Mitigations
Until Microsoft issues a fix, the following controls reduce exposure:
- Enforce least-privilege access — Standard user accounts cannot install software or modify system configurations. Minimizing attack surface reduces LPE utility.
- Deploy EDR with kernel visibility — Behavioral detection can catch privilege escalation attempts even for novel exploits.
- Monitor for anomalous SYSTEM process spawning — Alert on short-lived child processes running as SYSTEM outside expected baselines.
- Apply Windows Attack Surface Reduction (ASR) rules — ASR blocks many of the initial execution techniques that enable the foothold LPE exploits depend on.
- Audit local administrator memberships — Reduce unnecessary local admin rights; SYSTEM escalation is more impactful when combined with admin-level initial access.
- Watch Microsoft Security Update Guide — Apply any emergency out-of-band patch within hours of release given the active threat landscape.
Pattern of 2026 Windows Zero-Day Public Disclosures
May 2026 has seen an unusual number of public Windows zero-day drops, all tied to researcher frustration with vendor response timelines:
| Vulnerability | Researcher | Type | Status |
|---|---|---|---|
| YellowKey | Chaotic Eclipse | BitLocker bypass | No patch |
| GreenPlasma | Chaotic Eclipse | SYSTEM escalation (ctfmon) | No patch |
| MiniPlasma | Chaotic Eclipse | SYSTEM escalation | No patch |
| Exchange Zero-Day | Various | Server-side RCE | Microsoft patching |
The concentration of unpatched Windows vulnerabilities in public hands should inform threat modeling for security operations teams — particularly for organizations in sectors targeted by ransomware and nation-state actors.
References
- The Hacker News — MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation
- BleepingComputer — New Windows MiniPlasma Zero-Day Exploit Gives SYSTEM Access, PoC Released
- Microsoft Security Update Guide
- CISA Known Exploited Vulnerabilities Catalog