{"vulnerability": "CVE-2020-1710", "sightings": [{"uuid": "d364c42a-5d9b-4b3c-9d06-38c3d1788726", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://gist.github.com/alon710/94f16ff078ba1aff29867d2bba3993ff", "content": "# CVE-2020-17103: CVE-2020-17103: Local Privilege Escalation in Windows Cloud Files Mini Filter Driver\n\n&gt; **CVSS Score:** 7.0\n&gt; **Published:** 2020-12-09\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2020-17103\n\n## Summary\nCVE-2020-17103 is a local privilege escalation vulnerability located in the Windows Cloud Files Mini Filter Driver (cldflt.sys). An exploitable race condition during the handling of impersonation tokens allows a standard local user to write arbitrary data to the .DEFAULT registry hive, leading to SYSTEM-level code execution.\n\n## TL;DR\nA race condition in the Windows Cloud Files Mini Filter driver allows local attackers to elevate privileges to SYSTEM by abusing registry handle fallbacks during impersonation token toggling.\n\n## Exploit Status: WEAPONIZED\n\n## Technical Details\n\n- **CWE ID**: CWE-362\n- **Attack Vector**: Local\n- **CVSS v3.1**: 7.0 (High)\n- **EPSS Score**: 0.35%\n- **Impact**: Arbitrary Code Execution as SYSTEM\n- **Exploit Status**: Weaponized\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Windows 10 Version 1803\n- Windows 10 Version 1809\n- Windows 10 Version 1903\n- Windows 10 Version 1909\n- Windows 10 Version 2004\n- Windows 10 Version 20H2\n- Windows Server 2004\n- Windows Server 20H2\n- Windows Server 2016\n- Windows Server 2019\n- Windows Server Core 1903\n- Windows Server Core 1909\n- **Windows 10**: 1803 - 20H2\n- **Windows Server**: 2016 - 2019\n- **Windows Server Core**: 1903 - 1909\n\n## Mitigation\n\n- Apply Microsoft Security Updates released in and after December 2020\n- Validate patching status for regressions reported in May 2026\n- Disable the cldflt service if Cloud Files functionality is unused\n\n**Remediation Steps:**\n1. Identify all endpoints running Windows 10 (1803-20H2) and Windows Server (2016-2019).\n2. Deploy the latest Cumulative Updates to all identified systems via SCCM, WSUS, or Intune.\n3. Monitor patch compliance and restart endpoints to apply kernel modifications.\n4. If patching cannot be performed, test disabling the 'cldflt' service and ensure business processes do not rely on OneDrive placeholders.\n\n## References\n\n- [MSRC Advisory CVE-2020-17103](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17103)\n- [Project Zero Bug Report](https://project-zero.issues.chromium.org/issues/42451192)\n- [Project Zero Technical Blog](https://projectzero.google/2021/01/hunting-for-bugs-in-windows-mini-filter.html)\n- [MiniPlasma Exploit Repository](https://github.com/Nightmare-Eclipse/MiniPlasma)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2020-17103) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T05:20:50.000000Z"}, {"uuid": "50693d68-0373-4db8-aea6-7f15bd9bbd4b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116584206761334151", "content": "New from Nightmare-Eclipse, we have MiniPlasma\nWorks reliably to get a SYSTEM cmd.exe prompt.  Is reportedly a failure to properly fix CVE-2020-17103.", "creation_timestamp": "2026-05-16T12:17:00.762044Z"}, {"uuid": "0db01868-88f2-475a-a024-04ff577160f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://bsky.app/profile/wdormann.infosec.exchange.ap.brid.gy/post/3mlxtbeijgko2", "content": "New from Nightmare-Eclipse, we have MiniPlasma\n\nWorks reliably to get a SYSTEM cmd.exe prompt. Is reportedly a failure to properly fix CVE-2020-17103.", "creation_timestamp": "2026-05-16T12:17:12.967976Z"}, {"uuid": "5af032a6-0001-4f05-b40d-e3db0f2e9930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "Telegram/aPBnBDLZlClNl0jawFYK0oGJT-uQ62fikQWRVuyq6vfsnw", "content": "", "creation_timestamp": "2026-05-16T11:30:39.000000Z"}, {"uuid": "ff5cb118-ea72-4399-9996-60911d77e228", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "Telegram/qbysBXCJo38zlNH2uZDZDhrRJd3KZvVNm8hsiGQlfcdvfuk", "content": "", "creation_timestamp": "2026-05-17T12:31:58.000000Z"}, {"uuid": "f9229602-6cdc-4b90-9bfb-87e20fd7918b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17102", "type": "seen", "source": "https://t.me/cibsecurity/16155", "content": "\u203c CVE-2020-17102 \u203c\n\n, aka 'WebP Image Extensions Information Disclosure Vulnerability'.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-11T12:35:10.000000Z"}, {"uuid": "b7f8f072-9be8-4553-a748-dc907813adb0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17109", "type": "seen", "source": "https://t.me/cibsecurity/16147", "content": "\u203c CVE-2020-17106 \u203c\n\n, aka 'HEVC Video Extensions Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17107, CVE-2020-17108, CVE-2020-17109, CVE-2020-17110.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-11T12:35:02.000000Z"}, {"uuid": "09d14fac-ed83-45e9-bccd-9ba50b19b28e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17108", "type": "seen", "source": "https://t.me/cibsecurity/16147", "content": "\u203c CVE-2020-17106 \u203c\n\n, aka 'HEVC Video Extensions Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17107, CVE-2020-17108, CVE-2020-17109, CVE-2020-17110.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-11T12:35:02.000000Z"}, {"uuid": "55a2f0b7-cfe7-4ca5-ad12-431ce8e94865", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17106", "type": "seen", "source": "https://t.me/cibsecurity/16147", "content": "\u203c CVE-2020-17106 \u203c\n\n, aka 'HEVC Video Extensions Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17107, CVE-2020-17108, CVE-2020-17109, CVE-2020-17110.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-11T12:35:02.000000Z"}, {"uuid": "0086960b-1f40-4f42-9ed8-8fdabc141851", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17107", "type": "seen", "source": "https://t.me/cibsecurity/16147", "content": "\u203c CVE-2020-17106 \u203c\n\n, aka 'HEVC Video Extensions Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17107, CVE-2020-17108, CVE-2020-17109, CVE-2020-17110.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-11T12:35:02.000000Z"}, {"uuid": "77d321c1-5f78-43f6-a311-9ec2ad7cfd0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://t.me/P0x3k_1N73LL1G3NC3/354", "content": "MiniPlasma (Windows unpatched LPE)\n\nCVE-2020-17103 was apparently not patched or the patch was reversed, regardless this the PoC for an LPE in cldflt.sys, weaponized to spawn a SYSTEM shell. Success rate may vary since it's a race condition.", "creation_timestamp": "2026-05-16T09:09:16.000000Z"}, {"uuid": "0318565b-6f58-4325-9e17-b4eb3c01cf2e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://bsky.app/profile/infosecbot.bsky.social/post/3mlxkkrjwqr2t", "content": "It's confirmed, CVE-2020-17103 patch is ineffective and the vulnerability still exists,\nA weaponized PoC can be found here - \n\nhttps://\ndeadeclipse666.blogspot.com/2026/05/minipl\nasma-powerful-\u2026\n\n\ud83d\udd01 RT @ChaoticEclipse0 | reposted by @HackingLZ\nhttps://x.com/ChaoticEclipse0/status/2055533189221814284", "creation_timestamp": "2026-05-16T09:41:16.686473Z"}, {"uuid": "20850a37-f01e-4251-9589-6cdd383f1831", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "published-proof-of-concept", "source": "Telegram/xdBdqpcqRsRQ7RiAoFn-JrKabgkpd6B3wQqCNbA1krk_hw", "content": "", "creation_timestamp": "2026-05-16T21:42:36.000000Z"}, {"uuid": "17cea844-8461-48f2-b5ad-453f541d2a2c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://bsky.app/profile/campuscodi.risky.biz/post/3mlz24uhfqc27", "content": "Looks like CVE-2020-17103 wasn't patched correctly, or the patched was accidentally rolled back by someone at Microsoft\n\ngithub.com/Nightmare-Ec...", "creation_timestamp": "2026-05-16T23:52:31.174895Z"}, {"uuid": "8c44eb81-6c8d-45a1-8e12-005726b8e444", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlzcx6mem62h", "content": "Top 3 CVE for last 7 days:\nCVE-2026-42511: 56 interactions\nCVE-2026-46300: 56 interactions\nCVE-2026-42897: 51 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-45062: 11 interactions\nCVE-2020-17103: 8 interactions\nCVE-2026-46333: 5 interactions\n", "creation_timestamp": "2026-05-17T02:41:51.812517Z"}, {"uuid": "7fd6e23f-4a64-45bd-97f6-b90165f4eaa2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "published-proof-of-concept", "source": "Telegram/4tIKexrP1B7eYtOW91-QaKQ8EIqNMri3pu2C_JIQ1mA899I", "content": "", "creation_timestamp": "2026-05-15T03:00:06.000000Z"}, {"uuid": "6437730c-a97e-47ef-b80e-ffb09733ae90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mm4pgiczvb24", "content": "MiniPlasma exploits CVE-2020-17103 in the Windows Cloud Filter driver to gain a System shell, indicating the vulnerability may remain unpatched on Windows 11.\n", "creation_timestamp": "2026-05-18T10:51:41.162036Z"}, {"uuid": "457a7006-9d35-432e-99f4-4fc3e8c92213", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://www.acn.gov.it/portale/w/miniplasma-poc-per-lo-sfruttamento-di-una-vulnerabilita-microsoft", "content": "", "creation_timestamp": "2026-05-18T09:04:07.000000Z"}, {"uuid": "0a400ab6-d291-4cf2-87f2-66d860a01f6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://t.me/true_secator/8216", "content": "\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0432\u044b\u043a\u0430\u0442\u0438\u043b \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0439 PoC \u0434\u043b\u044f 0-day, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0435\u0439 \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0432 Windows \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0432\u0448\u0435\u0439 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 MiniPlasma. \u042d\u0442\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0434\u0430\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0432 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 Windows.\n\n\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u0438 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u043f\u0440\u0438\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044e Chaotic Eclipse \u0438\u043b\u0438 Nightmare Eclipse, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432\u044b\u043b\u043e\u0436\u0438\u043b \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \u0438 \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u0439 \u0444\u0430\u0439\u043b \u043d\u0430 GitHub, \u0437\u0430\u044f\u0432\u043b\u044f\u044f, \u0447\u0442\u043e Microsoft \u043d\u0435\u043d\u0430\u0434\u043b\u0435\u0436\u0430\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u0443\u0441\u0442\u0440\u0430\u043d\u0438\u043b\u0430 \u0440\u0430\u043d\u0435\u0435 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u043d\u0443\u044e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 2020 \u0433\u043e\u0434\u0443.\n\n\u041f\u043e \u0441\u043b\u043e\u0432\u0430\u043c \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 cldflt.sys \u0434\u0440\u0430\u0439\u0432\u0435\u0440 Cloud Filter \u0438 \u0435\u0433\u043e \u043f\u043e\u0434\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443 HsmOsBlockPlaceholderAccess, \n\u043e \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u043f\u0435\u0440\u0432\u043e\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u043e\u0431\u0449\u0438\u043b Microsoft\u00a0\u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c Google Project Zero \u0414\u0436\u0435\u0439\u043c\u0441 \u0424\u043e\u0440\u0448\u043e\u0443 \u0432 \u0441\u0435\u043d\u0442\u044f\u0431\u0440\u0435 2020 \u0433\u043e\u0434\u0430.\n\n\u0412 \u0442\u043e \u0432\u0440\u0435\u043c\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0431\u044b\u043b \u043f\u0440\u0438\u0441\u0432\u043e\u0435\u043d \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 CVE-2020-17103, \u0438, \u043a\u0430\u043a \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u0442\u0441\u044f, \u043e\u043d\u0430 \u0431\u044b\u043b\u0430 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0430 \u0432 \u0434\u0435\u043a\u0430\u0431\u0440\u0435 2020 \u0433\u043e\u0434\u0430.\n\nChaotic Eclipse \u043f\u043e\u044f\u0441\u043d\u0438\u043b: \u043f\u043e \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0430\u043c \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u044f \u0432\u044b\u044f\u0441\u043d\u0438\u043b\u043e\u0441\u044c, \u0447\u0442\u043e \u0442\u0430 \u0436\u0435 \u0441\u0430\u043c\u0430\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430, \u043e \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0441\u043e\u043e\u0431\u0449\u0430\u043b\u043e\u0441\u044c Microsoft \u0432 \u0440\u0430\u043c\u043a\u0430\u0445 \u043f\u0440\u043e\u0435\u043a\u0442\u0430 Google Project Zero, \u043d\u0430 \u0441\u0430\u043c\u043e\u043c \u0434\u0435\u043b\u0435 \u0432\u0441\u0451 \u0435\u0449\u0451 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0438 \u043d\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0430. \u041e\u0440\u0438\u0433\u0438\u043d\u0430\u043b\u044c\u043d\u044b\u0439 PoC \u043e\u0442 Google \u0440\u0430\u0431\u043e\u0442\u0430\u043b \u0431\u0435\u0437 \u043a\u0430\u043a\u0438\u0445-\u043b\u0438\u0431\u043e \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0439.\n\n\u041f\u0440\u0438\u0447\u0435\u043c \u043d\u0435\u0437\u0430\u0432\u0438\u0441\u0438\u043c\u044b\u0435 \u0442\u0435\u0441\u0442\u044b \u043d\u0430 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u043f\u0430\u0442\u0447\u0435\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 Windows 11 Pro \u0441 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u043c\u0438 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f\u043c\u0438 Patch Tuesday \u0437\u0430 \u043c\u0430\u0439 2026 \u0433\u043e\u0434\u0430 \u043d\u0430 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u043e\u0439 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043f\u043e\u043a\u0430\u0437\u0430\u043b\u0438, \u0447\u0442\u043e \u043f\u043e\u0441\u043b\u0435 \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430 \u043e\u0442\u043a\u0440\u044b\u043b\u0430\u0441\u044c \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u0430\u044f \u0441\u0442\u0440\u043e\u043a\u0430 \u0441 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 SYSTEM.\n\n\u0423\u0438\u043b\u043b \u0414\u043e\u0440\u043c\u0430\u043d\u043d \u0438\u0437 Tharros \u0442\u0430\u043a\u0436\u0435 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u043b \u0440\u0430\u0431\u043e\u0442\u043e\u0441\u043f\u043e\u0441\u043e\u0431\u043d\u043e\u0441\u0442\u044c \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430 \u0432 \u0445\u043e\u0434\u0435 \u0441\u0432\u043e\u0438\u0445 \u0442\u0435\u0441\u0442\u043e\u0432 \u043d\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 Windows 11. \u041e\u0434\u043d\u0430\u043a\u043e \u043e\u043d \u043e\u0442\u043c\u0435\u0442\u0438\u043b, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043d\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0432 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u0441\u0431\u043e\u0440\u043a\u0435 Windows 11 Insider Preview Canary.\n\n\u041f\u043e \u0432\u0441\u0435\u0439 \u0432\u0438\u0434\u0438\u043c\u043e\u0441\u0442\u0438, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u0439 \u0441\u043f\u043e\u0441\u043e\u0431 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043a\u043b\u044e\u0447\u0435\u0439 \u0440\u0435\u0435\u0441\u0442\u0440\u0430 \u0434\u0440\u0430\u0439\u0432\u0435\u0440\u043e\u043c Windows Cloud Filter \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 API CfAbortHydration.\n\n\u0412 \u043f\u0435\u0440\u0432\u043e\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u043c \u043e\u0442\u0447\u0435\u0442\u0435 \u0424\u043e\u0440\u0448\u043e\u0443 \u0443\u0442\u0432\u0435\u0440\u0436\u0434\u0430\u043b\u043e\u0441\u044c, \u0447\u0442\u043e \u044d\u0442\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043b\u044e\u0447\u0438 \u0440\u0435\u0435\u0441\u0442\u0440\u0430 \u0432 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u043c \u0440\u0430\u0437\u0434\u0435\u043b\u0435 .DEFAULT \u0431\u0435\u0437 \u043d\u0430\u0434\u043b\u0435\u0436\u0430\u0449\u0435\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0430, \u0447\u0442\u043e \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044e \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439.\n\n\u0412 \u0441\u0432\u043e\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c, Microsoft \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u0442 \u043e\u0431 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0438 \u043e\u0448\u0438\u0431\u043a\u0438 \u0432 \u0440\u0430\u043c\u043a\u0430\u0445 \u0434\u0435\u043a\u0430\u0431\u0440\u044c\u0441\u043a\u043e\u0433\u043e Patch Tuesday 2020 \u0433\u043e\u0434\u0430, \u043e\u0434\u043d\u0430\u043a\u043e Chaotic Eclipse \u0443\u0442\u0432\u0435\u0440\u0436\u0434\u0430\u0435\u0442, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0441\u0435 \u0435\u0449\u0435 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0430 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c\u0438.\n\nMiniPlasma - \u044d\u0442\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0438\u0437 \u0441\u0435\u0440\u0438\u0438 \u0443\u0442\u0435\u0447\u0435\u043a \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e 0-day \u0432 Windows, \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0437\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043d\u0435\u0434\u0435\u043b\u044c.\n\n\u0421\u0435\u0440\u0438\u044f \u0440\u0430\u0437\u043e\u0431\u043b\u0430\u0447\u0435\u043d\u0438\u0439 \u043d\u0430\u0447\u0430\u043b\u0430\u0441\u044c \u0432 \u0430\u043f\u0440\u0435\u043b\u0435 \u0441\u00a0BlueHammer, \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0432 Windows (CVE-2026-33825), \u0437\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043b\u0430 \u0435\u0449\u0435 \u043e\u0434\u043d\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439, RedSun, \u0438 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 DoS-\u0430\u0442\u0430\u043a \u0434\u043b\u044f Windows Defender, UnDefend.\n\n\u041f\u0440\u0438\u0447\u0435\u043c \u043f\u043e\u0441\u043b\u0435 \u0438\u0445 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0431\u044b\u043b\u043e \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u043e, \u0447\u0442\u043e \u0432\u0441\u0435 \u0442\u0440\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0438\u0441\u044c \u0432 \u0430\u0442\u0430\u043a\u0430\u0445.\n\n\u041f\u043e \u0441\u043b\u043e\u0432\u0430\u043c \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044f, Microsoft \u043d\u0435\u0437\u0430\u043c\u0435\u0442\u043d\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443 RedSun, \u043d\u0435 \u043f\u0440\u0438\u0441\u0432\u043e\u0438\u0432 \u0435\u0439 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 CVE.\n\n\u0412 \u044d\u0442\u043e\u043c \u043c\u0435\u0441\u044f\u0446\u0435 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0442\u0430\u043a\u0436\u0435 \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b \u0434\u0432\u0435 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 YellowKey \u0438 GreenPlasma, \u0441\u0434\u0435\u043b\u0430\u0432 \u044d\u0442\u043e \u0432 \u0437\u043d\u0430\u043a \u043f\u0440\u043e\u0442\u0435\u0441\u0442\u0430 \u043f\u0440\u043e\u0442\u0438\u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b \u0432\u043e\u0437\u043d\u0430\u0433\u0440\u0430\u0436\u0434\u0435\u043d\u0438\u044f \u0437\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043e\u043a \u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 Microsoft. \n\n\u0422\u0435\u043f\u0435\u0440\u044c \u043c\u044f\u0447 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u043c\u0438\u043a\u0440\u043e\u043c\u044f\u0433\u043a\u0438\u0445, \u043e\u0436\u0438\u0434\u0430\u0435\u043c \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0435\u0439 \u0438 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0438 \u043e\u0442 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u0432.", "creation_timestamp": "2026-05-18T18:30:06.000000Z"}, {"uuid": "7b711bda-ede3-4f06-8d69-0799c8c1a293", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://infosec.exchange/users/wdormann/statuses/116597222546050317", "content": "The Nightmare-Eclipse repo clearly credits James Forshaw with the CVE-2020-17103 vulnerability that MiniPlasma is based off of.\nDid Nightmare-Eclipse modify MiniPlasma to use a variant of CVE-2020-17103 that still works on modern Windows?\nNO.  MiniPlasma IS the poc from the GPZ write-up\nWhy does it work on current Windows?Well, instead of fixing CVE-2020-17103, they decided to break the PoC instead. And yeah, with Win10 Dec 2020 and Win11 RTM, the GPZ PoC doesn't work.\nBut somewhere between Win11 RTM and 22H2 (I have neither the VM snapshots nor the patience to determine when exactly), whatever thing Microsoft did to break the CVE-2020-17103 PoC regressed.  An because it wasn't a fix, then surely Microsoft had no regression test to detect that the fix was no longer present.\nSo here we are.  MiniPlasma is the GPZ PoC, but modified slightly to achieve LPE instead of creating DEMODEMO in the registry.", "creation_timestamp": "2026-05-18T19:27:08.343112Z"}, {"uuid": "bc2d6d5a-ed81-4971-bb25-94f9dd2d374b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "seen", "source": "https://bsky.app/profile/wdormann.infosec.exchange.ap.brid.gy/post/3mm5macicuql2", "content": "The Nightmare-Eclipse repo clearly credits James Forshaw with the CVE-2020-17103 vulnerability that MiniPlasma is based off of.\n\nDid Nightmare-Eclipse modify MiniPlasma to use a variant of CVE-2020-17103 that still works on modern Windows?\n\n**NO** [\u2026] \n\n[Original post on infosec.exchange]", "creation_timestamp": "2026-05-18T19:27:16.832154Z"}, {"uuid": "2f55f550-c162-4ea4-868e-bf4719904818", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-17103", "type": "published-proof-of-concept", "source": "Telegram/p6_7Fzr7AE5-s9SdgqzAFTlpxGf9IMuh2DhHzRrKndjq5KI", "content": "", "creation_timestamp": "2026-05-18T21:00:03.000000Z"}]}