Chaotic Eclipse Releases Windows SYSTEM Zero-Day PoC, Exposing 2020-Flaw on Fully Patched PCs
Updated
Updated · The Hacker News · May 18
Chaotic Eclipse Releases Windows SYSTEM Zero-Day PoC, Exposing 2020-Flaw on Fully Patched PCs
4 articles · Updated · The Hacker News · May 18
MiniPlasma lets attackers spawn a SYSTEM shell on fully patched Windows machines, with Chaotic Eclipse publishing a proof-of-concept for the privilege-escalation flaw.
The bug sits in cldflt.sys — the Windows Cloud Files Mini Filter Driver — and affects the HsmOsBlockPlaceholderAccess routine, which the researcher said remains vulnerable across likely all Windows versions.
James Forshaw first reported the issue to Microsoft in September 2020, and it was thought fixed in December 2020 under CVE-2020-17103, but Chaotic Eclipse said the original Google PoC still works unchanged.
Will Dormann said MiniPlasma reliably opened a SYSTEM-level cmd.exe on Windows 11 with the May 2026 updates, though he said it did not appear to work on the latest Insider Preview Canary build.
The disclosure adds to scrutiny of cldflt.sys after Microsoft patched another privilege-escalation flaw in the same component in December 2025, a CVE-2025-62221 bug it said had been exploited in the wild.
How did a Windows bug, supposedly fixed in 2020, return to haunt fully patched systems in 2026?
Is releasing zero-days in protest the only way for researchers to hold tech giants accountable for security?
Chaotic Eclipse’s 2026 Windows Zero-Day Disclosures: BitLocker Bypass, Defender, and CTFMON Exploits Threaten Global Security
Overview
As of mid-May 2026, the Windows cybersecurity landscape faces immediate and severe threats due to a wave of zero-day vulnerabilities released by the researcher Chaotic Eclipse, also known as Nightmare-Eclipse. Following unsatisfactory communications with Microsoft’s Security Response Center, Chaotic Eclipse publicly disclosed critical flaws, including a patched but actively exploited Microsoft Defender privilege escalation (CVE-2026-33825) and new exploits for BitLocker bypass (YellowKey) and CTFMON privilege escalation (GreenPlasma). These actions have created urgent risks for both individuals and enterprises, highlighting the need for rapid patching and proactive defense against weaponized vulnerabilities.