Cyber Pulse: Technical Threat Deep Dives on Active CVEs — MiniPlasma and the Re-Emergence of CVE-2020-17103

Intro

An active exploit targeting CVE-2020-17103 has resurfaced against fully updated Windows 11 systems, raising serious concerns about incomplete remediation or regression within the Windows Cloud Filter driver. Researchers report that the original Google Project Zero proof-of-concept from 2020 still functions against patched production systems as of May 2026.

CVE Context

The vulnerability impacts Microsoft Windows systems utilizing the Windows Cloud Filter driver (cldflt.sys), including modern Windows 11 production environments. Initially disclosed by Google Project Zero in 2020, Microsoft released security updates during the December 2020 Patch Tuesday cycle. Recent testing by independent researchers indicates exploitability may still persist within stable production builds.

The flaw exists within undocumented driver functionality exposed through privileged IOCTL communication paths. Attackers with local low-privileged execution can allegedly abuse insufficient authorization validation to manipulate protected registry structures through kernel-mode operations.


CVSS Metric Breakdown (v3.1) - CVE-2020-17103 (Windows Cloud Filter Driver Privilege Escalation)

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): High
Scope Changed (SC): Unchanged
Safety Impact (SI): None
Automation (SA): None
Exploit Maturity: Functional
Base Score: 7.0 (High)

A public exploit tool known as MiniPlasma reportedly achieves elevation to NT AUTHORITY\SYSTEM using the original Project Zero proof-of-concept path without modification. Researchers state successful execution has been observed on Windows 11 systems patched through May 2026.

EPSS Scoring

Probability: 0.00329
Percentile: 55.967%

Exploitation Detail

The vulnerability resides inside the kernel-mode Cloud Filter driver (cldflt.sys), which processes attacker-controlled IOCTL requests in privileged kernel context. The issue appears tied to insufficient authorization validation surrounding undocumented registry-related operations exposed through the driver interface.

An attacker with low-privileged local execution opens a handle to the driver and sends structured IOCTL requests containing crafted registry operation parameters. The vulnerable code path allegedly performs privileged registry actions without properly validating the requesting process token or authorization level.


// Conceptual representation of vulnerable driver communication

DeviceIoControl(
    hDriver,
    0x0022400C,
    &inputBuffer,
    sizeof(inputBuffer),
    &outputBuffer,
    sizeof(outputBuffer),
    &bytesReturned,
    NULL
);

// Conceptual attacker-controlled IOCTL parameters

Operation = WRITE_REGISTRY
Target = REGISTRY\USER\.DEFAULT\
Value = MaliciousSetting

Attacker Behavior Snapshot

The attacker opens a handle to the symbolic link representing the Cloud Filter driver and transmits a crafted IOCTL buffer containing registry manipulation parameters. The driver processes the request in kernel context and allegedly executes privileged registry operations without sufficiently validating the calling process token.

The system returns successful execution status responses back to the user-mode process, confirming that unauthorized registry modifications occurred successfully through the privileged driver path.

Why This Matters

This vulnerability highlights the risks associated with privileged driver trust boundaries and incomplete remediation within modern operating systems. The reported ability to reproduce exploitation behavior on fully updated Windows 11 systems suggests either insufficient root-cause remediation, regression within the affected code path, or incomplete authorization validation surrounding privileged driver operations.

Exploitation results in: Elevation from low-privileged execution to NT AUTHORITY\SYSTEM
Unauthorized registry manipulation through privileged driver operations
Increased attacker capability for persistence, credential access, and lateral movement

MITRE ATT&CK Mapping

Privilege Escalation: T1068 – Exploitation for Privilege Escalation
Defense Evasion: T1112 – Modify Registry
Execution: T1203 – Exploitation for Client Execution

Detection Rules

YARA Rule (Memory/Doc/PCAP)


rule MiniPlasma_CloudFilter_Exploit
{
    meta:
        description = "Detects MiniPlasma exploit artifacts targeting CVE-2020-17103"
        author = "Cyber Pulse"
        date = "2026-05-20"

    strings:
        $driver = "\\\\.\\CloudFilter" ascii wide
        $payload = "NtDeviceIoControlFile" ascii wide
        $registry = "REGISTRY\\USER\\.DEFAULT\\" ascii wide

    condition:
        any of them
}

Suricata or Zeek (Network)


alert smb any any -> any any (
    msg:"EXPLOIT CVE-2020-17103 Cloud Filter Driver Activity";
    flow:established,to_server;
    content:"cldflt.sys";
    nocase;
    sid:20260520;
    rev:1;
)

Sigma Rule (SIEM/EDR)


title: Windows Cloud Filter Driver Privilege Escalation Activity
id: c1b9c9f0-25a8-4e8c-b011-bdc1db734bf5
status: experimental
description: Detects suspicious registry activity associated with CVE-2020-17103 exploitation

logsource:
    product: windows
    category: registry_event

detection:
    selection:
        TargetObject|contains: 'REGISTRY\USER\.DEFAULT\'

    filter:
        Image: 'C:\Windows\System32\services.exe'

    condition: selection and not filter

falsepositives:
    - Rare administrative activity

level: high

Detection Strategies

Network Detection: Monitor unusual driver communication activity tied to undocumented IOCTL interactions
Flag suspicious registry manipulation telemetry targeting .DEFAULT hive structures
Investigate unexpected low-privileged processes interacting with kernel drivers

Endpoint Detection: Monitor for low-integrity processes spawning elevated child shells
Detect suspicious registry modifications targeting REGISTRY\USER.DEFAULT\
Look for unusual DeviceIoControl activity tied to cldflt.sys

Splunk Query


index=security sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational
EventCode=13 TargetObject="*\\.DEFAULT\\*"

| stats count by host, Image, TargetObject, Details

SOC Detection Strategy

SOC teams should prioritize telemetry involving registry modifications originating from low-privileged execution contexts interacting with privileged driver pathways. Correlate Sysmon registry events with process integrity levels and unusual DeviceIoControl activity.

Escalate any event chain involving low-integrity user processes rapidly transitioning into SYSTEM-level execution. Analysts should specifically investigate unauthorized interactions with REGISTRY\USER\.DEFAULT\ structures and suspicious communication involving cldflt.sys.

Tools & Techniques

Sysmon | Registry and process telemetry
Velociraptor | Endpoint hunting and artifact collection
Process Monitor | Driver and registry interaction analysis
Sigma/YARA | Detection engineering for exploit indicators

Mitigation & Response

Organizations should monitor Microsoft advisories for updated remediation guidance and validate whether affected systems remain vulnerable despite current patch levels.

Temporary defensive strategies include: Enable enhanced endpoint monitoring around registry modifications
Restrict unnecessary local execution pathways
Enable Windows security protections such as HVCI where operationally feasible
Monitor for abnormal privilege escalation behavior
Review endpoint telemetry for suspicious DeviceIoControl interactions

Incident Response Snippets

Security teams conducting active threat hunting can investigate suspicious registry modifications and SYSTEM-level process escalation behavior using Sysmon and PowerShell telemetry.


Get-WinEvent -FilterHashtable @{
    LogName='Microsoft-Windows-Sysmon/Operational'
    ID=13
} | Where-Object {
    $_.Message -match 'DEFAULT'
}

Investigative questions: Did a low-privileged process communicate directly with cldflt.sys?
Did suspicious registry modifications occur inside REGISTRY\USER.DEFAULT\?
Did SYSTEM-level child processes spawn unexpectedly after driver communication activity?

Final Thoughts

CVE-2020-17103 demonstrates how insufficient authorization validation within privileged driver operations can transform low-privileged execution into full SYSTEM-level compromise.

Organizations should prioritize telemetry visibility around privileged driver interactions, registry manipulation behavior, and abnormal privilege escalation activity while awaiting additional remediation guidance.

Detection is field work.

Published: May 20, 2026