bleepingcomputer.com via Reddit

MiniPlasma PoC bypasses Windows 11 May 2026 patches

microsoft cybersecurity cybersecurity zero-day windows

Key insights

  • CVE-2020-17103 was reported to Microsoft in 2020 and marked patched, but the underlying cldflt.sys flaw survived through May 2026 cumulative updates.
  • Researcher Chaotic Eclipse has released multiple Windows zero-days publicly in direct protest of Microsoft Security Response Center bug-bounty handling practices.
  • MiniPlasma grants full SYSTEM-level access on fully patched Windows 11, leaving enterprise defenders with no vendor-provided mitigation or patch timeline.

Why this matters

Microsoft's practice of closing CVEs without fully resolving the root cause creates a false compliance signal for enterprise teams relying on patch status for audit attestations and cyber insurance obligations. A researcher using public exploit releases as leverage in bounty disputes sets a precedent that could accelerate the frequency of weaponized zero-day disclosures across the industry. With SYSTEM-level privilege escalation available on every fully patched Windows 11 endpoint and no patch timeline announced, security teams must now weigh compensating controls against an indefinite exposure window.

Summary

A working exploit for a Windows flaw Microsoft claimed fixed in 2020 is now public, with no current patch available. Researcher Chaotic Eclipse released MiniPlasma targeting cldflt.sys to grant SYSTEM-level access on fully patched Windows 11. CVE-2020-17103 was marked resolved in 2020, but the root cause survived all patches since, including the May 2026 cumulative update. Essentially: (Chaotic Eclipse, Microsoft MSRC) are in a standoff over a kernel bug that outlived its own fix. - MiniPlasma is one of several Windows zero-days Chaotic Eclipse released protesting MSRC bug-bounty handling practices. - The exploit works on Windows 11 with May 2026 cumulative updates fully applied; no vendor mitigation currently exists. - CVE-2020-17103 was assigned in 2020 and marked closed, but the core cldflt.sys flaw was never eliminated. Public exploits used as bounty-dispute leverage are escalating, and enterprise defenders absorb the cost each time.

Potential risks and opportunities

Risks

  • Enterprise Windows 11 fleets in regulated sectors (healthcare, critical infrastructure, finance) face active exploitation risk with no patch ETA, threatening compliance posture under HIPAA, NERC CIP, and PCI DSS frameworks
  • Threat actors can integrate the public MiniPlasma PoC into ransomware deployment chains targeting fully patched systems before Microsoft issues a fix, removing 'fully patched' as a meaningful defense signal
  • Microsoft faces enterprise customer disputes over CVE-2020-17103's closed status, which security teams cited in patch-compliance attestations to auditors and cyber insurers over the past six years

Opportunities

  • EDR vendors (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) can differentiate immediately by shipping behavioral detection rules targeting MiniPlasma cldflt.sys exploitation patterns ahead of any official patch
  • Privileged Access Management and least-privilege vendors (BeyondTrust, CyberArk, Ivanti) gain a direct sales argument for kernel-level privilege restriction layers that block SYSTEM escalation regardless of patch status
  • Bug bounty platforms (HackerOne, Bugcrowd) and coordinated disclosure advisors gain leverage to position structured disclosure standards as an alternative to MSRC's contested model, particularly with enterprise customers now bearing the cost of the dispute

What we don't know yet

  • Whether Microsoft has acknowledged MiniPlasma specifically and committed to any remediation timeline beyond the May 2026 update cycle
  • What the MSRC bug-bounty dispute with Chaotic Eclipse involves in concrete terms, including disputed payout amounts, researcher credit decisions, or scope disagreements
  • How many other CVEs from Chaotic Eclipse's 2020 reports remain incompletely patched in current Windows builds alongside CVE-2020-17103

Originally reported by bleepingcomputer.com

Read the original article →

Original headline: New Windows 'MiniPlasma' Zero-Day Exploit Gives SYSTEM Access on Fully Patched Systems, PoC Released