MiniPlasma exploits Windows Eleven and escalates to SYSTEM without permission

Published on May 20, 2026 | Translated from Spanish

BleepingComputer has verified that the MiniPlasma exploit works on Windows 11 Pro with the May 2026 updates. A standard user can open a command prompt with SYSTEM rights. Analyst Will Dormann replicated the result but noted that the flaw does not reproduce in the Insider Preview Canary build. The attack uses the cldflt.sys driver.

Windows 11 system privilege escalation exploit demonstration, command prompt window transforming from limited user to SYSTEM rights, blue error screen warning, file system driver cldflt.sys being loaded into memory, process tree showing malicious execution chain, dark technical interface with glowing green code lines, cinematic cybersecurity visualization, dramatic red alert highlights, motherboard circuitry in background, photorealistic technical illustration

How the cldflt.sys driver enables privilege escalation 🛡️

The exploit leverages features of the cldflt.sys driver to handle registry keys through an undocumented API. This allows creating arbitrary keys without permission verification. By manipulating these keys, an attacker can escalate privileges in the operating system. The absence of controls in specific registry paths facilitates the jump from a standard account to SYSTEM. Microsoft has not yet issued an official patch.

Microsoft fixes the bug, but only in the branch nobody uses 🤡

As tradition dictates, the flaw does not appear in the Insider Preview Canary build, suggesting Microsoft has already patched it in secret. But users on the stable version are left with the joke. In other words: if you want to be safe, install a test build and pray your system doesn't break. Meanwhile, the exploit continues to work as if nothing happened.