CVE-2020-17103

HIGH

Windows Cloud Files Mini Filter Driver - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 8 public exploits for CVE-2020-17103. PoCs published by Nightmare-Eclipse, AlexLinov, 0xBlackash.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-17103, leveraging a race condition in Windows Cloud Experience Host to achieve local privilege escalation (LPE) via registry key manipulation and token impersonation.

Description

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploits (8)

nomisec WORKING POC 38 stars

by Nightmare-Eclipse · poc

https://github.com/Nightmare-Eclipse/MiniPlasma

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-17103, leveraging a race condition in Windows Cloud Experience Host to achieve local privilege escalation (LPE) via registry key manipulation and token impersonation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows 10 (specific versions affected by CVE-2020-17103)

No auth needed

Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code as a low-privileged user

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC 2 stars

by AlexLinov · poc

https://github.com/AlexLinov/MiniPlasma-Runner

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-17103, leveraging a Windows Error Reporting (WER) task to achieve local privilege escalation (LPE) by manipulating registry keys and executing a payload as SYSTEM. The exploit chain involves registry manipulation, token impersonation, and process creation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows (specific versions affected by CVE-2020-17103)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to execute code as a non-privileged user

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec WORKING POC

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2020-17103

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-17103, a local privilege escalation vulnerability in Windows Error Reporting (WER). The exploit leverages a race condition and registry manipulation to execute arbitrary code as SYSTEM by hijacking the WER task.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows Error Reporting (WER) on Windows 10/Server 2019

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to execute code as a low-privileged user

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Jun 08, 2026 Full analysis →

nomisec SUSPICIOUS

by rfranca777 · poc

https://github.com/rfranca777/miniplasma-advisory

View Code ZIP pw:eip

The repository claims to provide a technical mitigation advisory for CVE-2020-17103 but only contains a README with a link to an external PDF download. No actual exploit code or technical details are provided.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Windows Cloud Files Mini Filter Driver (cldflt.sys)

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 04, 2026 Full analysis →

nomisec SCANNER

by arch1m3d · poc

https://github.com/arch1m3d/MiniPlasma-Detection

View Code ZIP pw:eip

This repository contains a Sigma detection rule for identifying the exploitation of CVE-2020-17103, a Windows local privilege escalation vulnerability involving a race condition in cldflt.sys to hijack the windir environment variable. The rule detects registry writes to USER\.DEFAULT\Volatile Environment\windir, a key exploit primitive.

Classification

Scanner 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 11 (fully patched as of May 2026)

Auth required

Prerequisites: Access to a Windows system with sufficient privileges to write to the registry · Sigma rule engine for detection

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by CaptainChicky · poc

https://github.com/CaptainChicky/MiniPlasma

View Code ZIP pw:eip

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows 10 (Cloud Experience Host)

Auth required

Prerequisites: Local user access · Windows 10 with Cloud Experience Host enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 29, 2026 Full analysis →

nomisec WORKING POC

by mohammadzarnian1357 · poc

https://github.com/mohammadzarnian1357/MiniPlasma

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-17103, leveraging the CfAbortOperation API to manipulate registry keys and achieve privilege escalation. The PoC demonstrates arbitrary registry key manipulation and symbolic link creation to escalate privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Cloud Experience Host (cldapi.dll)

No auth needed

Prerequisites: Access to a vulnerable Windows system with Cloud Experience Host enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 25, 2026 Full analysis →

nomisec WORKING POC

by 0xDimas · poc

https://github.com/0xDimas/MiniPlasma

View Code ZIP pw:eip

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows (specific versions affected by CVE-2020-17103)

No auth needed

Prerequisites: Access to a vulnerable Windows system · Ability to execute the compiled binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 19, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17103

Various Sources

https://github.com/Nightmare-Eclipse/MiniPlasma

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17103

Scores

CVSS v3 7.0

EPSS 0.0117

EPSS Percentile 79.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (37)

Microsoft/Windows 10 Version 1803 10.0.0 - publication

Microsoft/Windows 10 Version 1809 10.0.0 - publication

Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8880

Microsoft/Windows 10 Version 1809 10.0.17763.0 - publication

Microsoft/Windows 10 Version 1903 for 32-bit Systems 10.0.0 - publication

Microsoft/Windows 10 Version 1903 for ARM64-based Systems 10.0.0 - publication

Microsoft/Windows 10 Version 1903 for x64-based Systems 10.0.0 - publication

Microsoft/Windows 10 Version 1909 10.0.0 - publication

Microsoft/Windows 10 Version 2004 10.0.0 - publication

Microsoft/Windows 10 Version 20H2 10.0.0 - publication

... and 27 more

Published Dec 10, 2020

Tracked Since Feb 18, 2026