CVE-2020-17103 is a Windows local privilege escalation vulnerability in the Cloud Files Mini Filter Driver (cldflt.sys), associated with the HsmOsBlockPlaceholderAccess routine. The issue was originally reported by James Forshaw of Google Project Zero and assigned CVE-2020-17103, with Microsoft issuing an initial fix in December 2020. The provided content indicates that the flaw remained exploitable years later via the publicly released MiniPlasma proof of concept, suggesting an incomplete fix or regression. Supporting details in the content describe the bug as a race-condition issue in cldflt.sys that can be abused by a local attacker to manipulate CloudFiles-related operations and ultimately obtain elevated execution. Additional technical context in the content ties the original bug to missing access enforcement during registry key creation in the .DEFAULT hive and exploitation involving token switching and race timing, culminating in a SYSTEM shell.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
6 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a standalone C# local privilege escalation exploit named MiniPlasma. It is not part of a common exploit framework. The project contains two substantive code files: Program.cs, which implements the exploitation logic, and MiniRunner.cs, a small SYSTEM-context launcher payload. The remaining files are Visual Studio/.NET project metadata, Fody/Costura packaging configuration, and a README describing the claimed target as CVE-2020-17103 in the Windows Cloud Files Mini Filter Driver. Program.cs is the main exploit entry point. It uses NtApiDotNet, TaskScheduler, registry APIs, named pipes, and Cloud Files APIs from cldapi.dll. The code manipulates security descriptors on .DEFAULT registry keys, recursively deletes subkeys, creates a registry symbolic link from \Registry\User\.DEFAULT\Software\Policies\Microsoft\CloudFiles\BlockedApps to \Registry\User\.DEFAULT\Volatile Environment, and repeatedly calls CfAbortOperation while racing impersonation-token changes across threads. It then sets the windir value under the .DEFAULT Volatile Environment hive to a temporary directory under C:\ProgramData, creates a fake System32 directory there, drops an embedded runner binary as wermgr.exe, and triggers the scheduled task \Microsoft\Windows\Windows Error Reporting\QueueReporting. This is intended to cause Windows Error Reporting to execute the attacker-controlled wermgr.exe from the crafted path. MiniRunner.cs is the second-stage payload. It reads a config file from C:\ProgramData matching mp_*.cfg, extracts the named pipe name and desired payload path, connects back to the named pipe, obtains the session ID associated with the pipe, duplicates its own SYSTEM token, sets the token session ID, and launches the chosen executable with CreateProcessAsUserW so the process appears on the user desktop. By default, the chosen executable is C:\Windows\System32\conhost.exe, but the operator can supply another executable path as the first command-line argument to Program.cs. Overall capability: local privilege escalation from a standard user context to NT AUTHORITY\SYSTEM, followed by execution of an arbitrary local executable as SYSTEM. There are no external network callbacks, hardcoded IPs, or remote C2 endpoints; the observable artifacts are local file paths, registry paths, a named pipe, and the scheduled task used for execution. The exploit is operational rather than a mere PoC because it includes a working payload launcher and cleanup logic, but it is not obviously weaponized into a reusable framework.
This repository is a compact Visual Studio C# proof-of-concept for a local Windows privilege-escalation/arbitrary registry key manipulation issue associated with CVE-2020-17103 ('MiniPlasma' per the README). The repo contains a single executable project targeting .NET Framework 4.7.2 and using the NtApiDotNet library to access low-level NT registry, token, and thread APIs. Structure: the meaningful logic is entirely in src/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs; the remaining files are standard solution/project metadata (sln, csproj, App.config, AssemblyInfo.cs, packages.config) plus a minimal README and license. There is no network component, no C2, and no remote delivery logic. Exploit behavior: the PoC imports CfAbortOperation and CfGetPlatformInfo from cldapi.dll, verifies Cloud Files platform support, then executes in multiple stages. Stage0 spawns stages 1-3 as child processes. Stage1 starts a registry change watcher and a racing thread that repeatedly sets and clears an anonymous impersonation token on the current thread while continuously calling CfAbortOperation with the Block flag. Stage2 opens the CloudFiles registry policy key, weakens/modifies its security descriptor, deletes subkeys, and creates a registry symbolic link from \Registry\User\.DEFAULT\Software\Policies\Microsoft\CloudFiles\BlockedApps to \Registry\User\.DEFAULT\DEMODEMO, then re-enters Stage1. Stage3 removes the symbolic link and adjusts security on the target key for cleanup/post-condition control. Capabilities: the exploit demonstrates arbitrary registry key redirection/manipulation in the HKU\.DEFAULT hive, including ACL/label changes, recursive deletion of subkeys, and symbolic-link-based redirection of a privileged registry operation to an attacker-chosen key. The code strongly indicates a local EoP primitive rather than a full post-exploitation implant. No shellcode, command execution payload, persistence module, or exfiltration logic is present.
This repository is a standalone Visual Studio C# proof-of-concept named MiniPlasma / PoC_AbortHydration_ArbitraryRegKey_EoP. It is not part of Metasploit/Nuclei or another exploit framework. The repository contains one primary exploit source file (Program.cs), a solution/project file, standard assembly metadata, and vendored NuGet package artifacts for Costura.Fody, Fody, and TaskScheduler. The README states the bug is a re-investigation/weaponization of the Cloud Files issue previously associated with CVE-2020-17103 and claims reliable SYSTEM shell execution on affected Windows systems. The exploit is a local privilege escalation PoC targeting Windows Cloud Files behavior exposed through cldapi.dll. Program.cs imports CfAbortOperation and CfGetPlatformInfo, uses NtApiDotNet for low-level token/thread/registry operations, and includes logic to open registry keys with varying access rights, rewrite security descriptors, recursively delete registry trees, and monitor registry changes. Hardcoded registry targets include \Registry\User\.DEFAULT\Software\Policies\Microsoft, its CloudFiles and BlockedApps subkeys, and \Registry\User\.DEFAULT\Volatile Environment. The code also contains a force-token thread that repeatedly sets and clears impersonation tokens, indicating a race/impersonation component. The final stage shown in the provided content duplicates an effective token, sets its session ID based on named-pipe-derived session information, and launches C:\Windows\System32\conhost.exe as that token, which aligns with the README claim of spawning a SYSTEM shell. Because the exploit includes a concrete post-exploitation action rather than mere crash/detection logic, it is best classified as OPERATIONAL rather than a simple POC. No external network C2 or remote endpoints are present; the attack vector is purely local, relying on Windows internals, registry manipulation, token abuse, and race timing.
This repository is a real local privilege escalation exploit implementation for CVE-2020-17103, presented as a modified version of MiniPlasma adapted for in-memory/C2-style use. It is not a scanner or detector. The project is a Visual Studio C#/.NET Framework 4.8 solution with two meaningful code components: Program.cs is the main exploit, and MiniRunner.cs is a small helper launcher intended to run as SYSTEM. The rest of the repository is mostly project metadata, package manifests, and bundled NuGet build files for Costura.Fody, Fody, and TaskScheduler. Program.cs performs the exploit chain locally on Windows. It uses NtApiDotNet and direct registry object access to manipulate security descriptors on .DEFAULT registry keys, creates a symbolic link from CloudFiles\BlockedApps to .DEFAULT\Volatile Environment, repeatedly calls CfAbortOperation from cldapi.dll, and coordinates timing with background threads that monitor registry changes and impersonation behavior. After preparing the registry state, it sets the .DEFAULT\Volatile Environment\windir value to an attacker-controlled directory under C:\ProgramData\mp_<id>. It then creates a fake System32 subdirectory there and drops the embedded helper binary as wermgr.exe. Next it runs the scheduled task \Microsoft\Windows\Windows Error Reporting\QueueReporting, which causes Windows Error Reporting to resolve and execute the attacker-controlled wermgr.exe path under SYSTEM. The exploit uses a per-run named pipe and a config file in C:\ProgramData to coordinate between the main process and the helper. MiniRunner.cs is the second-stage helper. It reads C:\ProgramData\mp_*.cfg to obtain the named pipe name and payload path, connects to the named pipe, derives the session ID, duplicates its own SYSTEM token, sets the token session to the interactive user session, and launches the chosen payload with CreateProcessAsUserW. This gives the operator a SYSTEM process on the user desktop. By default the payload path is C:\Windows\System32\conhost.exe, but the README indicates an arbitrary executable path can be supplied on the command line. Repository structure: MiniPlasma.csproj and MiniPlasma.sln define the build; Program.cs is the main exploit entry point; MiniRunner.cs is a separately compiled helper that becomes runner.bin and is embedded as a resource; README.md explains the adaptation for execute-assembly/C2 usage and build steps; packages.config and the packages/ tree provide dependencies and build-time embedding support. Overall purpose: weaponized adaptation of a public Windows LPE PoC into an operational memory-friendly runner that briefly drops only a tiny helper to disk, then cleans up artifacts after spawning a SYSTEM payload.
This repository is a small standalone Visual Studio C# proof-of-concept named MiniPlasma. It contains one executable project targeting .NET Framework 4.7.2 and depends on NtApiDotNet 1.1.28 for low-level NT token, thread, process, and registry operations. The README explicitly references CVE-2020-17103 and suggests the issue may still be exploitable. Repository structure is minimal: a solution file, one C# project, standard assembly metadata, app config, NuGet package metadata, and a single substantive source file (Program.cs). All exploit logic resides in Program.cs. The exploit is a local Windows EoP PoC centered on Cloud Files API behavior. It imports CfAbortOperation and CfGetPlatformInfo from cldapi.dll, verifies platform support, and then executes a staged workflow. Stage0 spawns the same executable multiple times with stage arguments. Stage1 starts a registry change watcher thread and a second thread that continuously toggles an anonymous impersonation token on the current thread, then repeatedly calls CfAbortOperation in a tight loop. This strongly suggests a race/impersonation attack intended to influence how privileged registry operations are performed. Stage2 opens the CloudFiles policy key under \Registry\User\.DEFAULT\Software\Policies\Microsoft\CloudFiles, weakens/modifies its security descriptor, recursively deletes subkeys, and creates a registry symbolic link so that BlockedApps points to \Registry\User\.DEFAULT\DEMODEMO. It then re-enters the Stage1 race loop. Stage3 removes the symbolic link and resets security on the target key. Supporting functions recursively delete registry trees, forcibly reopen keys with different access rights, and set permissive DACL/mandatory label security descriptors. There are no network callbacks, C2 endpoints, or remote targets. The only fingerprintable targets are local Windows registry paths and the Cloud Files DLL. Overall, this is a genuine local privilege-escalation PoC for arbitrary registry key manipulation via Cloud Files abort hydration behavior, not a scanner or detection script.
This repository is a small Visual Studio C# proof-of-concept named MiniPlasma. It contains one executable project targeting .NET Framework 4.7.2 and using the NtApiDotNet library for low-level Windows object, token, thread, process, and registry operations. The README explicitly references CVE-2020-17103 and suggests the technique still works. Repository structure is minimal: a solution file, one C# project, config files, and a single substantive source file (Program.cs). Program.cs implements a staged local exploit flow. Stage0 launches additional instances of the same executable with arguments 1, 2, and 3. Stage1 starts a registry change-monitoring thread and a racing impersonation thread that repeatedly sets and clears an anonymous impersonation token on the current thread while continuously calling CfAbortOperation via cldapi.dll. Stage2 opens the CloudFiles policy registry key under HKU\.DEFAULT, weakens its security descriptor, recursively deletes subkeys, then creates a registry symbolic link from CloudFiles\BlockedApps to \Registry\User\.DEFAULT\DEMODEMO before invoking Stage1 again. Stage3 removes the symbolic link and resets security on the target key. Core capabilities include: opening registry keys with fallback anonymous impersonation, forcibly changing DACL/mandatory label security descriptors, recursively deleting registry trees, creating registry symbolic links, monitoring registry changes, spawning helper stages, and invoking Cloud Files API functions CfGetPlatformInfo and CfAbortOperation. There is also an alternate code path that accepts credentials and impersonates a supplied logon token before calling CfAbortOperation. No network communication, C2, or remote delivery is present. The exploit is strictly local and functions as an elevation-of-privilege/arbitrary registry key manipulation PoC rather than a full weaponized exploit with a post-exploitation payload such as a shell. The most fingerprintable artifacts are the CloudFiles-related registry paths, the target DEMODEMO registry key, and the dependency on cldapi.dll.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Publicly disclosed vulnerability referenced as MiniPlasma.
Ранее известная уязвимость, описанная как неполностью исправленный баг пятилетней давности.
Previously disclosed Windows vulnerability by Nightmare Eclipse that Microsoft fixed in the June Patch Tuesday release.
Windows Cloud Files Mini Filter Driver elevation-of-privilege vulnerability originally patched in 2020 and re-addressed in June 2026 due to issues uncovered in the earlier patch; tied to the Chaotic Eclipse/MiniPlasma disclosures.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.