惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
L
LINUX DO - 热门话题
Blog — PlanetScale
Blog — PlanetScale
博客园 - Franky
J
Java Code Geeks
腾讯CDC
博客园 - 聂微东
The Cloudflare Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
Last Week in AI
Last Week in AI
量子位
Stack Overflow Blog
Stack Overflow Blog
Microsoft Security Blog
Microsoft Security Blog
Google DeepMind News
Google DeepMind News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
Schneier on Security
C
CERT Recently Published Vulnerability Notes
Latest news
Latest news
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
有赞技术团队
有赞技术团队
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Securelist
AWS News Blog
AWS News Blog
GbyAI
GbyAI
L
LINUX DO - 最新话题
大猫的无限游戏
大猫的无限游戏
Forbes - Security
Forbes - Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Attack and Defense Labs
Attack and Defense Labs
C
CXSECURITY Database RSS Feed - CXSecurity.com
Y
Y Combinator Blog
W
WeLiveSecurity
T
Threatpost
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Proofpoint News Feed
D
DataBreaches.Net
博客园 - 三生石上(FineUI控件)
V
V2EX
N
News and Events Feed by Topic
Google DeepMind News
Google DeepMind News
D
Docker
The Hacker News
The Hacker News
A
About on SuperTechFans
Security Latest
Security Latest
NISL@THU
NISL@THU
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
博客园_首页
H
Hacker News: Front Page

Security Affairs

Agent’s claims on WhatsApp access spark security concerns Meta accused of violating DSA by failing to safeguard minors Large-scale Roblox hacking operation shut down by Ukrainian authorities CVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosure Internet censorship index reveals Russia’s lead and widespread content blocking All supported cPanel versions hit by critical auth bug, now patched U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog ShinyHunters exploit Anodot incident to target Vimeo CVE-2026-3854 GitHub flaw enables remote code execution Signal Phishing Campaign Targets German Officials in Suspected Russian Operation Microsoft fixes Entra ID flaw enabling privilege escalation New Android spyware Morpheus linked to Italian surveillance firm NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links Medtronic discloses security incident after ShinyHunters claimed theft of 9M+ records Chinese spy posed as researcher in spear-phishing campaign targeting NASA to steal defense software LINKEDIN BROWSERGATE Firefox bug CVE-2026-6770 enabled cross-site tracking and Tor fingerprinting Fast16: Pre-Stuxnet malware that targeted precision engineering software Italy moves to extradite Chinese national to the U.S. over hacking charges U.S. utility giant Itron discloses a security breach Critical bug in CrowdStrike LogScale let attackers access files GopherWhisper: new China-linked APT targets Mongolia with Go-based malware SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 94 Trigona ransomware adopts custom tool to steal data and evade detection Security Affairs newsletter Round 574 by Pierluigi Paganini – INTERNATIONAL EDITION U.S. CISA adds SimpleHelp, Samsung, and D-Link flaws to its Known Exploited Vulnerabilities catalog Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844) CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network 12-year-old Pack2TheRoot bug lets Linux users gain root privileges Signal phishing campaign targets Germany’s Bundestag President Julia Klöckner China-linked threat actors use consumer device botnets to evade detection, warn UK and partners Luxury cosmetics giant Rituals discloses data breach impacting member personal details iOS Flaw Let Deleted Notifications Linger, Apple Issues Fix RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace U.S. CISA adds a flaw in Microsoft Defender to its Known Exploited Vulnerabilities catalog Microsoft Graph API misused by new GoGra Linux malware for hidden communication DDoS wave continues as Mastodon hit after Bluesky incident Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw Critical BRIDGE:BREAK flaws impact Lantronix and Silex Technology converters Venezuela energy sector targeted by highly destructive Lotus wiper Ransomware negotiator caught secretly assisting BlackCat extortion scheme North Korea’s Lazarus APT stole $290M from Kelp DAO The US NSA is using Anthropic’s Claude Mythos despite supply chain risk U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility France’s ANTS ID System website hit by cyberattack, possible data breach Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft CVE-2023-33538 under attack for a year, but exploitation still unsuccessful Third-party AI hack triggers Vercel breach, internal environments accessed AI Model Claude Opus turns bugs into exploits for just $2,283 Cyber attacks fuel surge in cargo theft across logistics industry SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 93 Security Affairs newsletter Round 573 by Pierluigi Paganini – INTERNATIONAL EDITION Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks Microsoft Defender under attack as three zero-days, two of them still unpatched, enable elevated access Kyrgyzstan-based crypto exchange Grinex shuts down after $13.7M cyber heist, blames Western Intelligence DraftKings hacker sentenced to prison, ordered to pay $1.4 Million Operation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered Inside ZionSiphon: politically driven malware aims at Israeli water systems U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog Cisco fixed four critical flaws in Identity Services and Webex Cookeville Regional Medical Center hospital data breach impacts 337,917 people AI platform n8n abused for stealthy phishing and malware delivery From clinics to government: UAC-0247 expands cyber campaign across Ukraine Sweden reports cyberattack attempt on heating plant amid rising energy threats CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access U.S. CISA adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog Mirax malware campaign hits 220K accounts, enables full remote control PHP Composer flaws enable remote command execution via Perforce VCS Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day Personal data of 1 million gym members compromised in Basic-Fit security incident US, UK and Canada disrupt $45M crypto theft in Operation Atlantic ShinyHunters claim the hack of Rockstar Games breach and started leaking data Attackers target unpatched ShowDoc servers via CVE-2025-0520 U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog Fake Claude AI installer abuses DLL sideloading to deploy PlugX Hackers access Booking.com user data, company secures systems iPhone forensics expose Signal messages after app removal in U.S. case Citizen Lab: Webloc tracked 500M devices for global law enforcement Iran-linked group Handala claims to have breached three major UAE organizations CPUID watering hole attack spreads STX RAT malware Adobe fixes actively exploited Acrobat Reader flaw CVE-2026-34621 Hackers claim control over Venice San Marco anti-flood pumps SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 92 Security Affairs newsletter Round 572 by Pierluigi Paganini – INTERNATIONAL EDITION Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S. GlassWorm evolves with Zig dropper to infect multiple developer tools CVE-2026-39987: Marimo RCE exploited in hours after disclosure Ransomware attack on ChipSoft knocks EHR services offline across hospitals in the Netherlands and Belgium UAT-10362 linked to LucidRook attacks targeting Taiwan-based institutions EngageLab SDK flaw opens door to private data on 50M Android devices Bitcoin Depot hack leads to $3.6M Bitcoin theft via stolen credentials Eurail data breach impacted 308,777 people Malicious PDF reveals active Adobe Reader zero-day in the wild Masjesu botnet targets IoT devices while evading high-profile networks The alleged breach of China’s National Supercomputing Center can have serious geopolitical consequences Internet-Exposed ICS Devices Raise Alarm for Critical Sectors U.S. CISA adds a flaw in Ivanti EPMM to its Known Exploited Vulnerabilities catalog
Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix
Pierluigi Pa · 2026-05-18 · via Security Affairs

MiniPlasma: a Windows SYSTEM privilege escalation believed patched in 2020 (CVE-2020-17103) is still fully working on every patched Windows 11.

Once again, security researcher Chaotic Eclipse has released a proof-of-concept exploit for a new Windows privilege escalation zero-day called MiniPlasma, which can grant attackers SYSTEM privileges on fully patched systems.

The flaw affects “cldflt.sys,” the Windows Cloud Files Mini Filter Driver, specifically within the “HsmOsBlockPlaceholderAccess” routine. Google Project Zero researcher James Forshaw originally reported the vulnerability to Microsoft in September 2020.

“After re-investigating the technique used in GreenPlasma (specifically SetPolicyVal), it turns out cldflt!HsmOsBlockPlaceholderAccess is still vulnerable to the exact same issue that was reported to Microsoft 6 years ago. I’m not taking full credit for this, James Forshaw from google project zero found the vulnerability and reported it to Microsoft and was supposedly fixed as CVE-2020-17103.” Chaotic Eclipse wrote.

“However, a research who’s a friend of mine pointed out that the routine might still have a vulnerability, which is something I considered but brushed off because I thought it was impossible for Microsoft to just not patch this or rollback the patch.”

Chaotic Eclipse investigated further and found that the exact same vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification. The researcher then weaponized it to spawn a SYSTEM shell and published it as MiniPlasma, noting that reliability may vary due to the exploit’s race-condition nature, but that it worked consistently across their test environments.

“After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched. I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes.” Chaotic Eclipse added. “To highlight this issue, I weaponized the original PoC to spawn a SYSTEM shell. It seems to work reliably in my machines but success rate may vary since it’s a race condition. I believe all Windows versions are affected by this vulnerability.”

Will Dormann, a popular cybersecurity researcher, independently confirmed the result: MiniPlasma opens a cmd.exe prompt with SYSTEM privileges on Windows 11 running the latest patches. He noted it does not work on the Insider Preview Canary build, which suggests Microsoft may be addressing it there, but that provides little comfort to the hundreds of millions of users running production Windows 11 builds.

“New from Nightmare-Eclipse, we have MiniPlasma [github.com]Dormann wrote. “Works reliably to get a SYSTEM cmd.exe prompt on Win11 (including 26H1) with May’s updates. Is reportedly a failure to properly fix CVE-2020-17103 [msrc.microsoft.com]. I’ll note that it does not seem to work on the latest Insider Preview Canary Windows 11.”

Mysteriously, a patch reportedly confirmed in 2020 appears to have disappeared. The issue goes beyond delayed updates and raises broader concerns about the reliability and completeness of Windows patch management, leaving organizations questioning whether fully patched systems are truly secure.

But now, let’s focus on Chaotic Eclipse.

There is a GitHub profile called Nightmare-Eclipse. Behind it, a researcher who goes by Chaotic Eclipse. In the span of a few weeks, this individual has published working exploit code for five separate Windows vulnerabilities, some previously unknown, some believed to have been patched years ago but apparently still very much alive. The disclosures triggered a wave of zero-days that put Microsoft under pressure, raised concerns about the reliability of its patches, and revived the long-running debate over whether publishing exploit code promotes transparency or creates greater security risks.

To understand the significance of what Chaotic Eclipse has published, it helps to lay out the full picture of what has been disclosed so far.

The first two flaws in the Defender series, BlueHammer, RedSun, and UnDefend, appeared in April. BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection. Microsoft addressed BlueHammer as CVE-2026-33825, but RedSun and UnDefend remained unpatched. Within days of the public release, Huntress researchers observed real-world exploitation of all three. Attackers began using BlueHammer on April 10, then moved to the proof-of-concept code for RedSun and UnDefend on April 16, following the publicly available exploit code with a precision that left little doubt about where the attack playbook had come from.

Then came YellowKey and GreenPlasma, two more Windows zero-days disclosed by the same researcher and reported by Security Affairs. YellowKey is a BitLocker bypass issue that affects Windows 11 and Windows Server 2022/2025 systems. The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE). The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition. What makes this flaw particularly unsettling is not just its functionality but also the researcher’s commentary on its origins: the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.

Chaotic Eclipse drew an uncomfortable conclusion from this: “Now why would I say this is a backdoor ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why ? I just can’t come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.

It is a claim that Microsoft has not publicly addressed. Whether it reflects a genuine design anomaly, an architectural oversight that looks suspicious from the outside, or something else entirely, is not known. What is known is that the flaw works, that it affects Windows 11 and Server 2022/2025, and that Windows 10 is not affected, a distinction that itself raises questions without obvious answers.

The second flaw in that pair, GreenPlasma, targets the Windows Collaborative Translation Framework — the CTFMON subsystem, and enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM. The researcher withheld the full exploit chain but noted that someone with the right skills could complete the escalation from the published material. A partial disclosure that is effectively complete for a skilled attacker is a category that sits uncomfortably between responsible and irresponsible release.

Who Is Chaotic Eclipse?

Tracing a precise profile of the researcher is difficult. They operate under a pseudonym, maintain a GitHub repository under the handle Nightmare-Eclipse, and communicate through a blog and occasional social media posts. The documentation accompanying each release, while not exhaustive, reflects genuine understanding of the underlying mechanisms.

The motivations behind Chaotic Eclipse are not fully clear, but public comments point to frustration with Microsoft’s patching process, a concern shared by many in the security community. By publishing working exploit code instead of following standard coordinated disclosure timelines, the researcher seems to be pushing for faster action and greater accountability. This view is reinforced by the fact that some flaws were quickly patched after public exposure, while others remained unaddressed.

There is also a more serious concern raised in the disclosures, including the possibility that one issue may reflect intentional design rather than a simple vulnerability. Whether or not that is accurate, it shows a more confrontational approach to disclosure than traditional reporting channels.

Overall, this reflects a long-standing divide in security research: some researchers work within vendor programs and disclosure frameworks, while others publish findings directly. The latter approach can pressure companies into fixing issues faster, but it also risks exposing users to active attacks before patches are ready.

The MiniPlasma situation really shows how divided the vulnerability disclosure debate still is, because both sides actually have a point.

Chaotic Eclipse’s argument is based on something concrete: Microsoft originally fixed CVE-2020-17103 back in 2020, yet parts of that fix now seem to be missing in newer Windows builds. Without a public disclosure and a working proof of concept, it’s fair to ask whether the issue would have been noticed at all. We’ve already seen something similar with BlueHammer. Once exploit details became public, Microsoft reacted quickly and pushed out fixes, which suggests that public attention can sometimes force action faster than private reporting alone.

At the same time, the risks of releasing exploit code are very real. Researchers at Huntress have repeatedly pointed out that attackers move fast once proof-of-concept code is available. In some cases, weaponization happens within days. That creates a difficult tradeoff: public research helps defenders and increases pressure on vendors, but it also gives threat actors a shortcut. Even if MiniPlasma is not trivial to exploit consistently, the fact that Windows runs on billions of devices means that any reliable exploit immediately becomes high risk.

That tension is exactly why responsible disclosure became standard practice in cybersecurity. Typically, researchers report vulnerabilities privately, vendors get time to investigate and release a fix, and technical details are published afterward. The process is not perfect, and sometimes vendors move too slowly, but the goal is to reduce unnecessary exposure while still ensuring accountability. Chaotic Eclipse’s approach speeds that timeline up considerably. That can lead to faster patching, but it also reduces the time defenders have before attackers begin experimenting with the same information.

What makes the MiniPlasma story more concerning, though, is not just the disclosure debate itself. The bigger issue is the possibility that a vulnerability fixed years ago may have quietly reappeared. If a patch released in 2020 can effectively disappear because of regressions, refactoring, or build changes, then it challenges a basic assumption many organizations rely on: that once something is patched, it stays fixed.

That matters because modern enterprise security depends heavily on patch management. Microsoft ships hundreds of fixes every year, and security teams generally trust that updates permanently close known holes. If old vulnerabilities can unintentionally return over time, then patching alone is no longer enough. Teams may also need ways to continuously verify that protections are still present after later updates and feature changes.

The fact that related issues have reportedly appeared multiple times in the same component only adds to that concern. From a defender’s perspective, MiniPlasma is less about one exploit and more about what it says regarding software maintenance at scale. It highlights the gap between how patching is supposed to work in theory and how difficult it can be to guarantee in practice across years of development and constant code changes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MiniPlasma)