CVE-2020-17103 is a privilege escalation vulnerability in the Windows Cloud Filter driver that allows unauthenticated manipulation of registry keys via an undocumented API, enabling attackers to create keys in the DEFAULT user hive without access checks. Google Project Zero reported this flaw in 2020, and Microsoft released patches as part of the December 2020 Patch Tuesday updates. However, a recent exploit named MiniPlasma, released by researcher Chaotic Eclipse, demonstrates that the vulnerability may still be present on some Windows systems, including Windows 11 with recent security updates. The exploit uses the original proof-of-concept code and can spawn a System shell, indicating successful privilege escalation. Independent analysis notes the exploit does not work on the latest Windows 11 Insider Preview Canary builds. Microsoft has not publicly confirmed the current patch status or provided a statement regarding this exploit.

If unpatched, this vulnerability allows an attacker to escalate privileges on affected Windows systems to SYSTEM level, potentially enabling execution of code with the highest privileges. This could lead to full system compromise. The exploit reportedly works on Windows 11 systems with May 2026 updates installed, indicating that some supported versions may remain vulnerable. There is no confirmed evidence of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Microsoft released patches for CVE-2020-17103 in December 2020; however, the researcher claims these may not have fully resolved the issue or were rolled back. Organizations should verify that the December 2020 Patch Tuesday updates and subsequent security updates are correctly applied. Monitoring official Microsoft advisories for updates or statements regarding this exploit is recommended. No additional mitigation steps are specified by the vendor or researcher at this time.