A Windows privilege escalation zero-day published today grants attackers SYSTEM-level access on fully patched Windows 11 machines - and the most disturbing part is not what the exploit does, but where it came from. Security researcher Chaotic Eclipse, already notorious for the YellowKey and GreenPlasma disclosures, has released MiniPlasma: a weaponized proof-of-concept that revives a vulnerability first reported to Microsoft by Google Project Zero in September 2020. The bug was assigned CVE-2020-17103 and supposedly patched in December 2020. Yet the original exploit code works today without a single modification.
This is not a new discovery. It is a resurrection. And it raises a question that should alarm every CISO running Windows in their environment: how many other supposedly fixed vulnerabilities are still lying dormant, waiting for someone to notice the patch never actually worked?
What MiniPlasma Does and Why It Matters Now
MiniPlasma targets the Windows Cloud Files Mini Filter Driver, a kernel-mode component known as cldflt.sys that handles cloud sync functionality for services like OneDrive. Specifically, the exploit abuses a routine called HsmOsBlockPlaceholderAccess through an undocumented API named CfAbortHydration.
The result is straightforward and devastating. A standard user account can escalate privileges to SYSTEM - the highest authority level on a Windows machine - without needing administrative credentials, stolen passwords, or any form of remote access to begin with.
Key Stat: BleepingComputer independently tested MiniPlasma on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates. The exploit successfully opened a command prompt with SYSTEM privileges. Security researcher Will Dormann confirmed the same result on the latest public Windows 11 build.
The Race Condition Factor
Chaotic Eclipse notes that MiniPlasma relies on a race condition, meaning success rate may vary depending on system load and timing. However, the researcher reported that it worked reliably across their test environments. For attackers, a race condition is not a meaningful barrier - automated retry logic can achieve near-certain success given enough attempts, and the exploit requires no user interaction once launched.
Key Takeaway: MiniPlasma is a local privilege escalation flaw, which means an attacker needs some foothold on the system first. But in modern enterprise environments, that initial foothold is increasingly easy to obtain through phishing, compromised credentials, or supply chain attacks. Once inside, MiniPlasma transforms a low-privilege compromise into total system control.
The 2020 Bug That Never Died
The technical lineage of MiniPlasma traces directly to Google Project Zero researcher James Forshaw, who reported the vulnerability to Microsoft in September 2020. Forshaw's original report described how arbitrary registry keys could be created inside the .DEFAULT user hive without proper access checks, creating a path to privilege escalation.
CVE-2020-17103: The Original Fix
Microsoft assigned the flaw CVE-2020-17103, rated it 7.0 on the CVSS scale, and included a fix in the December 2020 Patch Tuesday. The company assessed exploitation as "less likely" due to perceived attack complexity. For six years, the security community assumed the issue was resolved.
Chaotic Eclipse discovered otherwise while investigating techniques used in GreenPlasma, the CTFMON privilege escalation zero-day disclosed just days earlier. A colleague suggested that the cldflt.sys routine might still be vulnerable. The researcher tested the theory and found that Forshaw's original proof-of-concept executed successfully on modern Windows 11 builds without modification.
"After investigating, it turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched," Chaotic Eclipse wrote in the GitHub repository for MiniPlasma. "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes."
Key Stat: The original vulnerability was reported in September 2020, supposedly patched in December 2020, and remains exploitable in May 2026 - a gap of nearly six years during which enterprises believed their systems were protected.
The Patch Rollback Question
The possibility that a security patch was silently rolled back is not without precedent. Microsoft has previously reverted patches due to compatibility issues, performance degradation, or unexpected side effects. What makes the MiniPlasma case unusual is that there appears to have been no public acknowledgment of such a rollback, and no replacement patch was issued.
Alternatively, the original patch may have addressed a symptom rather than the root cause, leaving the underlying vulnerability intact but harder to trigger. Chaotic Eclipse's weaponized version required only minor modifications to Forshaw's original code to achieve a reliable SYSTEM shell, suggesting the core flaw never truly changed.
Common Mistake: Assuming that a CVE marked as "patched" means the vulnerability is gone forever. MiniPlasma demonstrates that regression testing for security fixes is as important as the fixes themselves, and that organizations should not treat historical CVEs as permanently closed cases.
Why This Timing Is Not an Accident
Chaotic Eclipse published MiniPlasma on May 13, 2026 - exactly one day after Microsoft's May Patch Tuesday. This timing is now a clear pattern. YellowKey and GreenPlasma were published on May 13 as well. The researcher has explicitly stated that future disclosures will follow the same cadence.
"Next Patch Tuesday will have a big surprise for you, Microsoft. And remember, I never failed to deliver a promise," Chaotic Eclipse said in the statement accompanying the earlier disclosures.
The Post-Patch Tuesday Window
By publishing zero-days immediately after Patch Tuesday, Chaotic Eclipse ensures that organizations face the maximum possible exposure window. The next scheduled patch cycle is not until the second Tuesday of June - nearly a full month away. For on-premises systems without automatic emergency mitigation, that month represents a guaranteed period of vulnerability with no official fix.
This tactic transforms Patch Tuesday from a security event into a liability marker. Organizations that treat patching as a monthly ritual now face a predictable cycle where each patch release is immediately followed by new zero-day disclosures that cannot be addressed through normal channels.
Key Stat: Microsoft patched 138 vulnerabilities in its May 2026 Patch Tuesday, the second-largest volume in the company's history. None of the Chaotic Eclipse zero-days - BlueHammer from April, RedSun, UnDefend, YellowKey, GreenPlasma, or now MiniPlasma - were included.
%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221270%22%20cy%3D%22180%22%20r%3D%22210%22%20fill%3D%22rgba(123%2C%20215%2C%20255%2C%200.18)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22310%22%20cy%3D%22710%22%20r%3D%22250%22%20fill%3D%22rgba(52%2C%20211%2C%20153%2C%200.10)%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20708C340%20574%20498%20531%20653%20566C828%20605%20941%20504%201086%20418C1191%20355%201308%20317%201440%20332%22%20stroke%3D%22%237bd7ff%22%20stroke-width%3D%2210%22%20stroke-linecap%3D%22round%22%20opacity%3D%220.85%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20640H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20298H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Crect%20x%3D%22160%22%20y%3D%22142%22%20width%3D%22174%22%20height%3D%2236%22%20rx%3D%2218%22%20fill%3D%22rgba(123%2C%20215%2C%20255%2C%200.18)%22%20stroke%3D%22%237bd7ff%22%2F%3E%0A%20%20%3Ctext%20x%3D%22247%22%20y%3D%22166%22%20text-anchor%3D%22middle%22%20fill%3D%22%23D9F4FF%22%20font-size%3D%2218%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%222%22%3ECYBERSECURITY%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22392%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EThe%20Chaotic%20Eclipse%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22470%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EDisclosure%20Pattern%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22554%22%20fill%3D%22%23A8B8C8%22%20font-size%3D%2228%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EMiniPlasma%20Windows%20Zero-Day%3A%20How%20a%3C%2Ftext%3E%0A%20%20%3Crect%20x%3D%221080%22%20y%3D%22420%22%20width%3D%22274%22%20height%3D%22182%22%20rx%3D%2222%22%20fill%3D%22%230E2231%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.10)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22458%22%20width%3D%22112%22%20height%3D%2218%22%20rx%3D%229%22%20fill%3D%22%237bd7ff%22%20opacity%3D%220.9%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22498%22%20width%3D%22180%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.2)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22526%22%20width%3D%22146%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.14)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22554%22%20width%3D%2288%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.12)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221340%22%20cy%3D%22522%22%20r%3D%2244%22%20fill%3D%22rgba(123%2C%20215%2C%20255%2C%200.18)%22%20stroke%3D%22%237bd7ff%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M1322%20522L1336%20536L1360%20506%22%20stroke%3D%22%237bd7ff%22%20stroke-width%3D%228%22%20stroke-linecap%3D%22round%22%20stroke-linejoin%3D%22round%22%2F%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22748%22%20fill%3D%22%237BD7FF%22%20font-size%3D%2222%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%223%22%3EHEXON%20%2F%2F%20SUPPORTING%20VISUAL%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
The Chaotic Eclipse Disclosure Pattern
MiniPlasma is not an isolated release. It is part of a sustained campaign of Windows zero-day disclosures that has accelerated dramatically since April 2026.
From BlueHammer to MiniPlasma
The disclosure spree began in April with BlueHammer (CVE-2026-33825), a Windows Defender vulnerability that weaponized Microsoft's own update workflow for credential theft. Threat actors began exploiting BlueHammer four days before Microsoft released a patch. RedSun and UnDefend followed - both Microsoft Defender flaws, both still unpatched.
May brought YellowKey, which bypasses BitLocker encryption through the Windows Recovery Environment. GreenPlasma, which escalates privileges through CTFMON. And now MiniPlasma, which revives a six-year-old supposedly fixed bug in the Cloud Filter driver.
Key Stat: In less than two months, a single researcher has published six Windows zero-days, three of which remain completely unpatched. Two others - BlueHammer and CVE-2020-17103 - were supposedly addressed but one has now been shown to still work.
The Researcher's Stated Motivation
Chaotic Eclipse has been transparent about the motivation behind these disclosures. The researcher claims to have reported vulnerabilities to Microsoft through official channels, become dissatisfied with the response, and chosen public disclosure as a form of accountability.
"Microsoft has chosen to make this worse instead of resolving the situation like adults," the researcher said. "They pulled every childish game possible. My patience is running out. You're making everyone else pay for it."
Whether one views this as justified whistleblowing or reckless endangerment, the operational reality for security teams is identical: multiple unpatched Windows zero-days are publicly available, actively discussed, and being integrated into threat actor toolkits.
Pro Tip: Do not waste operational cycles debating the ethics of Chaotic Eclipse's disclosure strategy. The exploits are public. The code is on GitHub. Focus entirely on detection, mitigation, and compensating controls until patches arrive.
What the Technical Details Reveal
Understanding how MiniPlasma works at a technical level helps explain both its severity and the limitations of traditional defenses against it.
The Cloud Filter Driver Attack Path
The Windows Cloud Files Mini Filter Driver (cldflt.sys) is a kernel-mode component that manages placeholder files for cloud storage services. When a user accesses a file that exists only in the cloud, the driver handles the download and local caching transparently.
MiniPlasma abuses the HsmOsBlockPlaceholderAccess routine through the undocumented CfAbortHydration API. Forshaw's original 2020 report found that this path allowed arbitrary registry key creation in the .DEFAULT user hive without proper access checks. Because the .DEFAULT hive is used as a template for new user profiles, an attacker who can write arbitrary keys there can effectively poison every new account created on the system.
Chaotic Eclipse weaponized this into a direct SYSTEM shell by leveraging the registry write capability to manipulate service configurations and trigger elevated execution.
Why Traditional Defenses Struggle
MiniPlasma exploits a trusted, signed, kernel-mode Microsoft driver. This creates several challenges for defenders:
- No antivirus detection - The activity originates from a legitimate Windows component signed by Microsoft
- No EDR alerting - The registry operations occur through documented Windows APIs, albeit via an undocumented entry point
- No patch available - Organizations cannot close the vulnerability through normal update channels
- Local privilege escalation - Once an attacker has any foothold, the path to SYSTEM is direct and reliable
Key Takeaway: MiniPlasma is exactly the type of vulnerability that makes "assume breach" security models essential. Perimeter defenses and signature-based detection will not stop an attacker who has already gained low-privilege access and is escalating through trusted system components.
What Organizations Should Do Right Now
With no patch available for MiniPlasma and the next Patch Tuesday nearly a month away, organizations must rely on compensating controls and immediate risk mitigation.
Immediate Mitigation Steps
- Apply the principle of least privilege aggressively - Standard users should not have local administrative rights. While MiniPlasma escalates from standard user to SYSTEM, removing admin rights from unnecessary accounts reduces the overall attack surface.
- Monitor for anomalous cldflt.sys behavior - Endpoint detection tools should flag unusual registry modifications originating from the Cloud Filter driver, particularly writes to the
.DEFAULThive. - Restrict OneDrive and cloud sync where not required - In high-security environments, consider disabling or restricting the Windows Cloud Files service if cloud sync functionality is not business-critical.
- Deploy behavioral detection for privilege escalation - Focus on detecting the outcome (unexpected SYSTEM-level process spawning) rather than the specific exploit technique, which may vary.
- Segment your network - Assume that any compromised endpoint may achieve SYSTEM privileges. Limit lateral movement through network segmentation and zero-trust architecture.
The Insider Preview Exception
Will Dormann noted that MiniPlasma does not appear to work on the latest Windows 11 Insider Preview Canary build. This suggests Microsoft may be addressing the vulnerability in an upcoming release, but provides no timeline for when that fix will reach general availability. Organizations running production Windows 11 builds should not rely on the Insider Preview as a mitigation strategy.
Pro Tip: The combination of MiniPlasma with YellowKey creates a particularly dangerous attack chain. YellowKey bypasses BitLocker encryption through physical access, and MiniPlasma provides SYSTEM-level privileges once the attacker has booted the system. Field devices, shared workstations, and laptops are at elevated risk.
The Bigger Problem: When Patches Stop Working
MiniPlasma exposes a systemic issue that extends far beyond a single vulnerability. If a CVE from 2020 can resurface as a working zero-day in 2026, how many other supposedly fixed flaws are still present in Windows?
The Regression Testing Gap
Microsoft's security update process involves extensive testing, but that testing focuses primarily on whether the patch installs correctly and whether it breaks functionality. It does not always include rigorous verification that the vulnerability itself is actually eliminated across all code paths and configurations.
The MiniPlasma case suggests that either the original CVE-2020-17103 patch was incomplete, was inadvertently reverted in a subsequent update, or addressed a symptom while the root cause persisted. Any of these scenarios points to a gap in how security fixes are validated over time.
The Silent Patch Rollback Risk
If Microsoft did silently roll back the CVE-2020-17103 fix, the implications are significant. Organizations that applied the December 2020 patch and moved on have been vulnerable for six years without knowing it. Security audits, compliance assessments, and vulnerability scans would all have shown the system as patched and protected.
This is a nightmare scenario for security governance: a vulnerability that is officially closed, technically present, and practically exploitable. MiniPlasma may be the first high-profile example of this phenomenon, but it is unlikely to be the last.
Key Stat: NIST's National Vulnerability Database lists CVE-2020-17103 as patched since December 2020 with a CVSS score of 7.8. MiniPlasma demonstrates that this entry is factually incorrect - the vulnerability remains exploitable on current systems.
%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221270%22%20cy%3D%22180%22%20r%3D%22210%22%20fill%3D%22rgba(167%2C%20139%2C%20250%2C%200.18)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22310%22%20cy%3D%22710%22%20r%3D%22250%22%20fill%3D%22rgba(52%2C%20211%2C%20153%2C%200.10)%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20708C340%20574%20498%20531%20653%20566C828%20605%20941%20504%201086%20418C1191%20355%201308%20317%201440%20332%22%20stroke%3D%22%23a78bfa%22%20stroke-width%3D%2210%22%20stroke-linecap%3D%22round%22%20opacity%3D%220.85%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20640H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20298H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Crect%20x%3D%22160%22%20y%3D%22142%22%20width%3D%22174%22%20height%3D%2236%22%20rx%3D%2218%22%20fill%3D%22rgba(167%2C%20139%2C%20250%2C%200.18)%22%20stroke%3D%22%23a78bfa%22%2F%3E%0A%20%20%3Ctext%20x%3D%22247%22%20y%3D%22166%22%20text-anchor%3D%22middle%22%20fill%3D%22%23D9F4FF%22%20font-size%3D%2218%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%222%22%3ECYBERSECURITY%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22392%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EHow%20MiniPlasma%20Fits%20the%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22470%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3ECurrent%20Threat%20Landscape%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22554%22%20fill%3D%22%23A8B8C8%22%20font-size%3D%2228%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EMiniPlasma%20Windows%20Zero-Day%3A%20How%20a%3C%2Ftext%3E%0A%20%20%3Crect%20x%3D%221080%22%20y%3D%22420%22%20width%3D%22274%22%20height%3D%22182%22%20rx%3D%2222%22%20fill%3D%22%230E2231%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.10)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22458%22%20width%3D%22112%22%20height%3D%2218%22%20rx%3D%229%22%20fill%3D%22%23a78bfa%22%20opacity%3D%220.9%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22498%22%20width%3D%22180%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.2)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22526%22%20width%3D%22146%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.14)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22554%22%20width%3D%2288%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.12)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221340%22%20cy%3D%22522%22%20r%3D%2244%22%20fill%3D%22rgba(167%2C%20139%2C%20250%2C%200.18)%22%20stroke%3D%22%23a78bfa%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M1322%20522L1336%20536L1360%20506%22%20stroke%3D%22%23a78bfa%22%20stroke-width%3D%228%22%20stroke-linecap%3D%22round%22%20stroke-linejoin%3D%22round%22%2F%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22748%22%20fill%3D%22%237BD7FF%22%20font-size%3D%2222%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%223%22%3EHEXON%20%2F%2F%20SUPPORTING%20VISUAL%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
How MiniPlasma Fits the Current Threat Landscape
MiniPlasma arrives at a moment when the cybersecurity industry is already reeling from an unprecedented concentration of major disclosures.
The May 2026 Vulnerability Surge
The past week has seen:
- May 11 - Google confirms the first AI-generated zero-day exploit in the wild
- May 11 - OpenAI launches Daybreak defensive cybersecurity platform
- May 12 - Microsoft unveils MDASH, its multi-model AI vulnerability discovery system
- May 13 - Palo Alto Networks publishes 26 CVEs from frontier AI scanning
- May 13 - Chaotic Eclipse drops YellowKey and GreenPlasma
- May 14 - Microsoft discloses CVE-2026-42897, an actively exploited Exchange Server zero-day
- May 16 - Grafana discloses codebase theft via compromised GitHub token
- May 18 - MiniPlasma published, reviving a six-year-old supposedly patched bug
This density of high-impact security events is not coincidental. It reflects an industry-wide acceleration in vulnerability discovery, driven in part by AI-assisted analysis on both the offensive and defensive sides.
The AI Acceleration Factor
Gavin Knapp, cyber threat intelligence principal lead at Bridewell, noted that the rapid discovery and weaponization of vulnerabilities like MiniPlasma is "likely due to skilled researchers leveraging AI to expedite and scale vulnerability research and exploit development."
The same AI capabilities that Microsoft, Palo Alto Networks, and OpenAI are deploying for defensive vulnerability discovery are also available to independent researchers and threat actors. The difference is that defenders must find and patch every vulnerability. Attackers only need to find one that works - and if that vulnerability was supposedly patched six years ago, defenders are not even looking for it.
Common Mistake: Treating AI security as purely a defensive advantage. The same frontier models that help vendors find vulnerabilities faster also help attackers rediscover old bugs, chain multiple weaknesses into exploit paths, and weaponize findings at machine speed.
What Microsoft Has Said
Microsoft has not issued a specific statement addressing MiniPlasma at the time of writing. The company's response to the earlier Chaotic Eclipse disclosures, provided to SecurityWeek, acknowledged that Microsoft is "actively investigating the validity and potential applicability of these claims across our platforms and services."
Microsoft emphasized its commitment to "investigating reported security issues and updating impacted products as soon as possible," and noted that it "supports coordinated vulnerability disclosure."
What Microsoft has not provided is a timeline for patches addressing YellowKey, GreenPlasma, RedSun, UnDefend, or now MiniPlasma. Given that RedSun and UnDefend from April remain unpatched, organizations should not assume rapid resolution.
The CISA Response
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-42897, the Exchange Server zero-day, to its Known Exploited Vulnerabilities catalog on May 15. CISA has not yet added the Chaotic Eclipse zero-days, which do not have CVE assignments. Federal agencies are required to patch KEV-listed vulnerabilities within 21 days, but this requirement does not apply to unclassified zero-days without CVE identifiers.
What Happens Next
The immediate future depends on three factors: whether Microsoft addresses MiniPlasma in the June Patch Tuesday, whether Chaotic Eclipse follows through on threats to publish additional zero-days, and whether threat actors integrate MiniPlasma into active campaigns.
The June Patch Tuesday Watch
Security teams should treat Microsoft's June Patch Tuesday as a critical event. If MiniPlasma and the other Chaotic Eclipse zero-days are not addressed, organizations will face a second month of guaranteed exposure. If they are patched, the focus shifts to rapid deployment - which itself is challenging for large enterprises with complex testing and rollout procedures.
The Escalation Risk
Chaotic Eclipse has warned that "other companies" may be dragged into the disclosure dispute, suggesting future zero-days could target vendors beyond Microsoft. The researcher has also promised "a big surprise" for the next Patch Tuesday. Security teams should prepare for the possibility of additional unpatched disclosures in June.
The Long-Term Shift
MiniPlasma is a reminder that the traditional vulnerability management model - monthly patching cycles, CVE-based tracking, and assumption that historical patches remain effective - is breaking under the strain of accelerated discovery and unconventional disclosure. Organizations need:
- Continuous validation that historical patches actually eliminated vulnerabilities
- Behavioral detection that flags anomalous activity regardless of whether it comes from trusted processes
- Zero-trust architecture that assumes any endpoint may be fully compromised
- Rapid containment capabilities that can isolate affected systems in minutes
Conclusion
MiniPlasma is more than another Windows zero-day. It is a case study in how supposedly fixed vulnerabilities can resurface years later, how patch verification failures create invisible security gaps, and how a single researcher can expose systemic weaknesses that affect hundreds of millions of systems worldwide.
The fact that a Google Project Zero report from 2020 can be weaponized into a working SYSTEM exploit in 2026, with the original proof-of-concept requiring no modifications, should force a fundamental rethinking of how organizations approach vulnerability management. CVEs are not permanent closures. Patches are not guaranteed to persist. And trust in vendor security updates must be continuously validated, not assumed.
For security teams, the operational priorities are clear: implement compensating controls for MiniPlasma immediately, audit your environment for other potential regression vulnerabilities, and prepare for the possibility that more zero-days are coming before the next Patch Tuesday. The security model that treats patching as a monthly checkbox exercise is no longer viable. The new model requires continuous validation, behavioral detection, and the assumption that any system may already be compromised - because as MiniPlasma demonstrates, sometimes the vulnerabilities you thought were fixed never actually were.