A fully patched Windows system is vulnerable to a 6-year-old exploit, originally identified by Google Project Zero, an anonymous researcher has disclosed. It’s the same researcher who has been dropping zero-days in what appears to be a personal vendetta against Microsoft.
Attackers with basic user access have yet another way to seize full Windows control.
A vindictive security researcher, going by the aliases Nightmare-Eclipse on GitHub and Chaotic Eclipse on Blogspot, who has been publishing a stream of Windows exploits, has now released another one.
A tool called “MiniPlasma” spawns a shell with the highest SYSTEM privileges on Windows. Moreover, the bug was already reported to Microsoft six years ago.
The hacker says that Microsoft either never patched a highly severe privilege escalation vulnerability, or “the patch was silently rolled back at some point for unknown reasons.”
In September 2020, Google security researcher James Forshaw reported a privilege escalation flaw in cldflt.sys, a Windows kernel driver that is responsible for OneDrive’s file syncing.
Microsoft released a security advisory in December that year, acknowledging the issue, which was labeled CVE-2020-17103 and assigned a severity score of 7.8 out of 10.
“It turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched,” Nightmare-Eclipse writes in a public release of an exploit targeting the bug.
“The original PoC by Google worked without any changes.”
The released code weaponizes the original proof-of-concept to spawn a SYSTEM shell. The researcher believes it works quite reliably on all Windows versions affected by the vulnerability.
“This one is accidental, I didn't even think cldflt.sys had that vulnerability. Turns out the CVE-2020-17103 patch is just not present at all? The new PoC was tested against fully patched Windows 11 and Windows Server 2025 and managed to flawlessly spawn a SYSTEM shell,” the researcher also writes in his blog.
External researchers confirmed that the exploit is working. Will Dormann, a cybersecurity researcher, shared screenshots demonstrating that the exploit reliably spawns SYSTEM cmd.exe prompt on Windows 26H1 with May’s updates. However, not all builds are vulnerable –
Dorman noted that the bug doesn’t seem to work on the latest Insider Preview Canary Windows 11.
According to the original Google Project Zero disclosure, the vulnerable cloud filter driver has a function that allows writing to the Windows registry without enforcing an access check. Normally, this would only affect the user’s own registry section.
However, an attacker can exploit a race condition to trick Windows into forgetting who the current user is.
The attacker briefly flips into ANONYMOUS LOGON, a Windows built-in guest identity, used when the OS can’t identify who’s making the request, while simultaneously triggering the registry write. Windows fails to look up who is writing to the registry and automatically falls back to a shared system-level registry section as a default. The registry writes go through without objection.
Nightmare-Eclipse previously claimed Microsoft left them “homeless with nothing” and released the Windows Defender privilege escalation exploit on April 2nd, 2026, followed by another exploit on April 15th, both granting the highest (SYSTEM) privileges to attackers. After Patch Tuesday in May, the hacker released a BitLocker encryption bypass and another privilege-escalation zero-day.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked