Background: Who Is Chaotic Eclipse?
Security researcher Chaotic Eclipse, operating under the GitHub handle Nightmare-Eclipse, has published working exploit code for five separate Windows vulnerabilities in a matter of weeks — some previously unknown, some believed patched years ago but apparently still very much alive.
The disclosures didn’t follow responsible disclosure norms. By publishing working exploit code instead of following standard coordinated disclosure timelines, the researcher appears motivated by frustration with Microsoft’s patching process — a concern shared by many in the security community.
The full Nightmare-Eclipse disclosure arc:
- BlueHammer — Patched (CVE-2026-33825, April Patch Tuesday)
- RedSun — Unpatched, actively exploited
- UnDefend — Unpatched, actively exploited
- YellowKey — Unpatched, no CVE
- GreenPlasma — Unpatched, no CVE
- MiniPlasma — Unpatched, linked to dormant CVE-2020-17103
Within days of the initial public releases, Huntress researchers observed real-world exploitation of BlueHammer, RedSun, and UnDefend — attackers moved to the proof-of-concept code with a precision that left little doubt about where the attack playbook had come from.
MiniPlasma — The Ghost of CVE-2020-17103
Component: cldflt.sys — Windows Cloud Files Mini Filter Driver
Routine: HsmOsBlockPlaceholderAccess
Impact: Local privilege escalation to SYSTEM
Affected: Windows 11 (all versions including 26H1) with May 2026 patches applied
Not affected: Windows 10 | Insider Preview Canary build
Google Project Zero researcher James Forshaw originally reported this vulnerability to Microsoft in September 2020. It was supposedly fixed as CVE-2020-17103. Chaotic Eclipse found that the exact same issue is still present in fully patched systems running the latest May 2026 updates — the original proof-of-concept code published by Forshaw worked without modification.
The researcher then weaponized it to spawn a SYSTEM shell and published it as MiniPlasma, noting that reliability may vary due to its race-condition nature, but that it worked consistently across their test environments.
Independent researcher Will Dormann confirmed: MiniPlasma opens a cmd.exe prompt with SYSTEM privileges on Windows 11 including 26H1 with May’s updates. It does not work on the latest Insider Preview Canary build — suggesting Microsoft may be addressing it there, but that provides little comfort to the hundreds of millions of users running production Windows 11 builds.
The big question: The researcher is unsure if Microsoft never patched the issue or if the patch was silently rolled back at some point for unknown reasons. A patch confirmed in 2020 appears to have disappeared — raising concerns about the reliability and completeness of Windows patch management across years of development and constant code changes.
GreenPlasma — CTFMON Privilege Escalation
Component: Windows Collaborative Translation Framework (CTFMON subsystem)
Impact: Local privilege escalation to SYSTEM via arbitrary memory section object creation
Affected: Windows 11, Windows Server 2022 and 2026
CVE: Not assigned | No patch available
GreenPlasma enables privilege escalation on Windows 11 and Windows Server 2022/2026 by creating arbitrary memory section objects inside directories writable by SYSTEM. The researcher withheld the full exploit chain but noted that someone with the right skills could complete the escalation from the published material.
GreenPlasma, once weaponized, provides a backup SYSTEM escalation path through a different subsystem. In the attack chain context, it functions as a fallback persistence escalation path after initial compromise.
YellowKey — BitLocker Bypass via WinRE
Component: Windows Recovery Environment (WinRE)
Attack Vector: Physical access required
Method: Specially crafted files placed on USB drive or directly in the EFI partition
Impact: Full bypass of BitLocker-encrypted volumes — unrestricted shell access
Affected: Windows 11, Windows Server 2022/2025
Not affected: Windows 10
CVE: Not assigned | No patch available
The vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
Chaotic Eclipse’s controversial comment: The researcher flagged this as potentially intentional — the component responsible for the bug is not found anywhere on the internet except inside the WinRE image, and the exact same component exists in a normal Windows installation but without the functionalities that trigger the BitLocker bypass. Windows 10 is not affected; only Windows 11 and Server 2022/2025 are — a distinction that raises questions without obvious answers.
Microsoft has not publicly addressed the backdoor claim.
Attack Chain Context
An operational attack chain has emerged: escalate using BlueHammer, RedSun, or MiniPlasma to gain SYSTEM; blind the endpoint with UnDefend to weaken Defender; bypass BitLocker with YellowKey for physical-access scenarios; and use GreenPlasma as a backup SYSTEM escalation path through a different subsystem.
Detection & Mitigation
MiniPlasma
- Monitor for unexpected SYSTEM shell spawns from cldflt.sys-related processes
- Behavioral detection on processes inheriting SYSTEM context without elevation chain
- No patch available; watch for out-of-band Microsoft advisory
GreenPlasma
- Monitor CTFMON subsystem for anomalous memory section object creation
- Audit writable SYSTEM directories for unexpected access patterns
- Enable memory integrity (HVCI) where supported
YellowKey
- Enforce BitLocker startup PIN — reduces but does not eliminate risk
- Set BIOS/UEFI password to block unauthorized boot from USB
- Apply the April 2026 Patch Tuesday update for BlueHammer (CVE-2026-33825); verify Defender platform version 4.18.26050.3011 or later; monitor vendor advisories for out-of-band patches addressing YellowKey and GreenPlasma
- Restrict physical access to sensitive endpoints
- Note: these are hardening steps only; no permanent fix exists yet
Across all three:
- Prioritize EDR-based behavioral detection over signature-based controls
- Network detection and identity controls operating independently of the endpoint remain your strongest layer while patches are absent
CVE Reference
Zero-Day CVE Patch Status MiniPlasma Regression of CVE-2020-17103 Unpatched (May 2026) GreenPlasma None assigned Unpatched YellowKey None assigned Unpatched
Analyst Note
The MiniPlasma situation cuts deeper than a single exploit. If a patch released in 2020 can effectively disappear because of regressions, refactoring, or build changes, it challenges a basic assumption many organizations rely on: that once something is patched, it stays fixed. Teams may also need ways to continuously verify that protections are still present after later updates and feature changes.
Patch management is necessary — but it is no longer sufficient.
