A cybersecurity researcher, known by the monikers Chaotic Eclipse and Nightmare Eclipse, has unveiled a proof-of-concept exploit for a Windows privilege escalation zero-day vulnerability referred to as “MiniPlasma.” This exploit enables attackers to gain SYSTEM privileges on fully patched Windows systems, raising significant concerns within the cybersecurity community.
The researcher published both the source code and a compiled executable on GitHub, asserting that Microsoft has not adequately addressed a vulnerability reported back in 2020. The flaw in question affects the cldflt.sys Cloud Filter driver and its HsmOsBlockPlaceholderAccess routine, originally identified by Google Project Zero researcher James Forshaw in September 2020. This vulnerability was assigned the CVE-2020-17103 identifier and was purportedly resolved in December 2020.
Chaotic Eclipse stated, “After investigating, it turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched.” The researcher expressed uncertainty regarding whether Microsoft failed to patch the issue or if the patch was silently rolled back for reasons unknown. “The original PoC by Google worked without any changes,” they added.
In testing conducted by BleepingComputer on a fully patched Windows 11 Pro system, the exploit successfully opened a command prompt with SYSTEM privileges when executed from a standard user account.
Source: BleepingComputer
Will Dormann, principal vulnerability analyst at Tharros, confirmed the exploit’s effectiveness in his tests on the latest public version of Windows 11, although he noted that it did not function in the latest Windows 11 Insider Preview Canary build. The exploit appears to exploit the way the Windows Cloud Filter driver manages registry key creation through an undocumented CfAbortHydration API. Forshaw’s original report indicated that the flaw could permit arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, thereby facilitating privilege escalation.
Despite Microsoft’s assertion that the bug was fixed as part of its December 2020 Patch Tuesday updates, Chaotic Eclipse now contends that the vulnerability remains exploitable. BleepingComputer has reached out to Microsoft for comment on this zero-day and will provide updates as they become available.
Researcher behind the recent string of Windows zero-days
MiniPlasma is the latest in a series of Windows zero-day disclosures from the researcher over recent weeks. This disclosure trend began in April with BlueHammer, a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability named RedSun and a Windows Defender DoS tool called UnDefend. Following their disclosures, all three vulnerabilities were observed being exploited in attacks. Chaotic Eclipse claims that Microsoft quietly patched the RedSun issue without assigning it a CVE identifier.
This month, the researcher also introduced two additional exploits: YellowKey and GreenPlasma. YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025, allowing a command shell to spawn and gain access to unlocked drives protected by TPM-only BitLocker configurations.
Chaotic Eclipse has articulated that their public disclosures of these Windows zero-days are a form of protest against Microsoft’s bug bounty and vulnerability-handling processes. “Normally, I would go through the process of begging them to fix a bug, but to summarize, I was told personally by them that they will ruin my life,” the researcher alleged. “They mopped the floor with me and pulled every childish game they could. It was so bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer.”
Microsoft has previously communicated to BleepingComputer that it supports coordinated vulnerability disclosure and is dedicated to investigating reported security issues while protecting customers through timely updates.
