Six Zero-Days in Six Weeks: Inside Chaotic Eclipse's Windows Exploit Spree
A researcher publishing as Chaotic Eclipse has released six Windows zero-days since April 2026 — escalation flaws, a BitLocker bypass, and a post-exploitation tool — each one following a failed or incomplete vendor response. The latest, MiniPlasma, escalates to SYSTEM on fully patched Windows 11 using a bug Microsoft believed it fixed in 2020.
Since April 2026, a researcher publishing under the handles Chaotic Eclipse and Nightmare-Eclipse has released six Windows zero-day exploits in rapid succession. The series reached its most damaging point on May 13 when the researcher dropped MiniPlasma — a working local privilege escalation exploit for a bug Microsoft believed it had patched in December 2020. Independent testing confirmed it runs unmodified on fully patched Windows 11 with the May 2026 update applied.
No patch exists. Microsoft has said it is investigating.
The Chain
The disclosures did not arrive as isolated bugs. Each one fits a pattern: researcher reports to Microsoft, Microsoft does not respond or patches incompletely, researcher publishes.
BlueHammer (CVE-2026-33825) — April 2026. A local privilege escalation flaw that was eventually patched after threat actors began exploiting it in the wild. The only fully patched entry in the chain.
RedSun — April 2026. A second privilege escalation path, disclosed alongside BlueHammer. Microsoft silently fixed it without assigning a CVE. No public advisory was issued.
UnDefend — April 2026. A Windows Defender denial-of-service tool released as part of the same wave. Deployed at SYSTEM level — via one of the accompanying escalation exploits — it progressively disables Defender while leaving the device appearing normal to remote management consoles.
YellowKey (CVE-2026-45585) — May 12, 2026, one day after May Patch Tuesday. A BitLocker bypass targeting Windows 11 and Windows Server 2022/2025. The technique abuses Windows Recovery Environment behavior through early-boot transaction replay mechanisms tied to autofstx.exe. On systems with TPM-only BitLocker — the default configuration in most enterprise deployments — the bypass spawns a shell with access to unlocked drives. TPM+PIN configurations are not affected because they require user interaction before key release.
GreenPlasma — May 13, 2026. A privilege escalation vulnerability in the CTFMON framework on Windows 11 and Windows Server 2022/2026. The exploit creates arbitrary memory section objects inside directories writable by SYSTEM, then abuses trusted paths used by services and kernel drivers to escalate privileges. Chaotic Eclipse released a partial proof-of-concept; the full exploit was withheld, though the researcher stated that a skilled attacker could complete it.
MiniPlasma — May 13, 2026. The most technically notable of the set. The target is cldflt.sys, the Windows Cloud Files Mini Filter Driver — the component that makes OneDrive-backed placeholder files appear as local files. The specific routine is HsmOsBlockPlaceholderAccess, which governs access decisions for those placeholders. Google Project Zero researcher James Forshaw reported this exact flaw to Microsoft in September 2020. It was assigned CVE-2020-17103 and patched that December.
Chaotic Eclipse found that the patch is either missing or was silently rolled back. The original Forshaw proof-of-concept runs without modification. The NVD entry for CVE-2020-17103 shows a last-modified date of May 18, 2026 — consistent with the entry being reassessed following the disclosure. Security researcher Will Dormann independently confirmed MiniPlasma works reliably on current Windows 11 hardware. The researcher's own notes flag success rate variability because the underlying mechanism is a race condition, not a deterministic code path.
A separate flaw in the same driver — CVE-2025-62221 — was exploited in the wild by unknown threat actors in December 2025. The same component has now produced three exploitable vulnerabilities across two researchers in six years, two of which were exploited before a patch existed.
Patch Status
BlueHammer is patched. RedSun was silently addressed. YellowKey, GreenPlasma, and MiniPlasma have no patches as of publication. The next scheduled Patch Tuesday is June 10, 2026.
YellowKey and GreenPlasma were actively exploited within 24 hours of their public release. MiniPlasma is a local privilege escalation; it requires existing access to the target system, which limits its standalone value but makes it a reliable second stage after any initial foothold.
What This Is
The chain is the story here, not any individual CVE. Each release followed a failed or incomplete vendor response. BlueHammer required active exploitation before it was patched. RedSun was fixed quietly, without acknowledgment. YellowKey and GreenPlasma were dropped the day after Patch Tuesday, maximizing the window before any fix could arrive. MiniPlasma revived a six-year-old supposedly closed bug.
The researcher's stated position is consistent across all six disclosures: Microsoft was notified, Microsoft did not act, the code is now public.
Whether that calculus is correct in each case is a separate question. What is not in dispute is that fully patched Windows 11 systems currently have no defense against MiniPlasma, and that two of these exploits were being used in attacks within a day of becoming public.