MiniPlasma zero-day flaw CVE-2020-17103 exposes Windows systems
15 May 2026
Threat actors are exploiting the MiniPlasma elevation of privilege zero day vulnerability to gain SYSTEM level access on fully patched Windows systems.
This previously disclosed Microsoft Windows Elevation of Privilege vulnerability, CVE-2020-17103, has recently resurfaced in underground threat actor discussions and public exploitation guidance forums. The vulnerability was recently referenced by the threat actor/research group “Nightmare-Eclipse,” known for projects such as YellowKey and GreenPlasma, increasing renewed attention around possible exploitation attempts against vulnerable and unpatched Windows environments.
As of now, there is limited public reporting, technical blogging, or security advisory coverage available regarding this renewed activity. SharkStriker is among the early security teams proactively identifying, tracking, and communicating this exposure to customers and internal stakeholders for preventive security awareness.
About the MiniPlasma zero day vulnerability
CVE Identifier: CVE-2020-17103
CVSS Score: 7.8 (HIGH) – CVSS v3.1
Vendor + Component Impacted:
Microsoft Windows – Cloud Files Mini Filter Driver (cldflt.sys)
Discovery Timeline:
Originally disclosed and patched by Microsoft in December 2020.
Recently resurfaced in threat actor discussions and public PoC references during ongoing underground security discussions in 2026.
Impact
CVE-2020-17103 is a Windows Elevation of Privilege vulnerability affecting the Cloud Files Mini Filter Driver component. Successful exploitation may allow a locally authenticated attacker with low privileges to escalate access to SYSTEM-level permissions.
Potential threats include:
- SYSTEM-level administrative compromise of endpoints.
- Tampering or disabling of EDR/XDR and security monitoring tools.
- Deployment of ransomware, persistence mechanisms, or malicious payloads.
- Credential theft and unauthorized access to enterprise-sensitive data.
- Lateral movement across enterprise infrastructure.
- Post-compromise privilege escalation following phishing or malware infection.
The vulnerability does not require user interaction and may be leveraged after initial compromise activities.
Official Mitigation Guide
Microsoft released official security patches for CVE-2020-17103 as part of the December 2020 Patch Tuesday release cycle.
Organizations are advised to:
- Apply the latest cumulative Microsoft security updates.
- Review patch compliance for all Windows systems.
- Monitor for suspicious privilege escalation activities.
- Restrict unnecessary cloud synchronization services where not operationally required.
- Ensure EDR/XDR monitoring and alerting is enabled.
SharkStriker’s Recommendations
SharkStriker recommends the following immediate actions:
- Validate patch compliance across all Windows endpoints and servers.
- Prioritize patching of internet-facing and business-critical systems.
- Monitor for abnormal SYSTEM-level process creation and privilege escalation behavior.
- Enforce least privilege access policies and review local administrator memberships.
- Conduct proactive threat hunting for exploitation indicators related to cldflt.sys activity.
- Ensure security monitoring solutions are properly configured and operational.
Our Threat Intelligence and SOC teams have proactively identified and tracked the renewed discussions surrounding CVE-2020-17103 at an early stage, despite the current limited public reporting and technical coverage available across the security community.
SharkStriker Actions:
As part of our proactive security operations:
- Continuous real-time threat intelligence monitoring of underground forums, dark web channels, and publicly referenced exploitation discussions related to CVE-2020-17103.
- Comprehensive validation of detection visibility, alert coverage, and monitoring fidelity across all managed customer environments.
- In-depth review of telemetry, endpoint behavioral data, and suspicious indicators associated with privilege escalation, kernel-mode anomalies, and post-compromise activity patterns.
- Proactive threat hunting operations to identify potential exploitation attempts, anomalous SYSTEM-level behaviors, and early-stage attack indicators before they escalate.
Through continuous monitoring, real-time telemetry analysis, advanced detection engineering, behavioral analytics, and proactive threat hunting operations, STRIEGO enables enhanced visibility across enterprise environments and supports rapid identification of suspicious activities before they escalate into major security incidents.
The platform’s detection coverage and operational visibility further strengthen SharkStriker’s capability to provide early threat identification, proactive defense monitoring, rapid incident visibility, and continuous security assurance against emerging cyber threats and exploitation activities.
Links to Relevant Blogs / Articles
- https://nvd.nist.gov/vuln/detail/CVE-2020-17103
- https://github.com/Nightmare-Eclipse/MiniPlasma