Content menu Close
Threat Response
Threat Response

MiniPlasma: detecting exploitation of a critical unpatched Windows vulnerability

Related Kaspersky Products & Services
EDR
SIEM
XDR
MDR
by Kaspersky

posted

minute read

Table of Contents

Over the past two months, the anonymous researcher Nightmare Eclipse (also known as Chaotic Eclipse) has publicly disclosed six Windows vulnerabilities complete with ready-to-use exploits, without prior coordination with Microsoft. The most critical of these is MiniPlasma, a zero-day local privilege escalation exploit that grants attackers SYSTEM-level access.

In short

The exploit leverages an old flaw, CVE-2020-17103, which was believed to have been patched back in 2020. Fully updated systems running Windows 11, as well as Windows Server 2022 and 2025, are vulnerable to this attack vector.

Similar to CVE-2020-17103, the MiniPlasma issue is rooted in the Cloud Filter driver and the HsmOsBlockPlaceholderAccess routine.

According to Huntress Labs, attacks exploiting the initial vulnerabilities from the same list as MiniPlasma have been ongoing in the wild since April 10. It wasn’t until June 9 that Microsoft promised to release a patch for MiniPlasma.

Detection by Kaspersky solutions

Kaspersky Managed Detection and Response detects the exploitation of this vulnerability by tracking the following indicators of attack:

  1. Creation of SymbolLinks in the registry key:
    HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\CloudFiles\\BlockedApps:
  2. Tracking the appearance of wermgr.exe outside standard paths:
  3. Execution of system binaries or their imitations from non-standard directories.
  4. The analyzed PoC uses the .NET library NtApiDotNet by researcher James Forshaw to interact with registry Native APIs. The presence of artifacts or traces of this library’s usage is also an indicator of compromise.

To protect companies using our Kaspersky SIEM system or Kaspersky Extended Detection and Response, we have prepared a correlation rules package designed to detect such malicious activity. The rules are available to download from the products repository. For those developing custom detection rules or conducting threat hunting within a SIEM by analyzing Windows events, we recommend monitoring the following activities:

  • Modification of the HKU\.DEFAULT\Software\Policies\Microsoft\CloudFiles\BlockedApps registry key by creating a symbolic link to HKU\.DEFAULT\Volatile Environment. To hunt for this, registry auditing (SACL) must be configured. KUMA query:
  • Execution of the scheduled task \Microsoft\Windows\Windows Error Reporting\QueueReporting. To track Event ID 110, monitoring of the Microsoft-Windows-TaskScheduler/Operational log must be configured. KUMA query:
  • Launching wermgr.exe from a non-standard directory (typically C:\Windows\(System32|SysWOW64), depending on the system. This activity is detected by the “R150_01_Start of a utility with the name of the system process from a folder other than the standard folder” rule, available in the KUMA repository. KUMA query:
  • Execution of a non-standard process spawned by wermgr.exe. KUMA query:

Note: The provided search queries are applicable when using the default normalizer. We recommend a search depth of at least one month.

The exploitation of the MiniPlasma vulnerability using the published PoC is successfully detected by Kaspersky Next EDR Expert and Kaspersky Extended Detection and Response via the following rules:

  1. Detection of SymbolLinks creation in the \Software\Policies\Microsoft\CloudFiles\BlockedApps key via the suspicious_modification_cloudfiles_symbolic_link_reg rule:
  2. Detection of system utilities appearing outside system directories via the create_file_named_like_system_tool_in_wrong_place rule:
  3. Detection of system binary execution from non-standard directories via the executing_file_named_like_system_tool_in_wrong_place rule:
  4. Detection of .NET library loading from non-standard directories via the load_dotnet_library_by_process_from_non_standard_directory rule:

 

Authors

MiniPlasma: detecting exploitation of a critical unpatched Windows vulnerability

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Artem

    Posted on

    Hope he’ll escape criminal prosecution from Microsoft. It must be both sides who are guilty in this noisy story. Microsoft, like other vendors, is under big pressure these days when security researchers utilize AI agents and tools for vulnerability research automation (mostly for open source, right?). As Linus Torvalds said recently – the Linux kernel mailing list is simply flooded with reports from security researchers claiming they found “a new vulnerability that should be fixed immediately”. Microsoft must be also on the secret list of companies participating in Anthropic’s Project Glasswing which is deploying and testing their powerful Mythos model for vulnerability research. So their backlog is full of vuln reports. Anyway, his repo was deleted from GitHub and his account was blocked as well.

    It’s a tough year for Microsoft. In addition to the backlash on reddit for integrating Copilot everywhere in the OS, including Notepad and Paint, now an army of researchers shame them across various reddit subs.

    Reply

      1. Artem

        Posted on

        “Last updated: Jun 9, 2026”

        Yep, you’re right, they did it. However, at first glance, it wasn’t clear since that old CVE bulletin wasn’t mentioned in the June 2026 Patch Tuesday note. Now all Nightmare-Eclipse’s vulns are closed, except for the recently published RoguePlanet.

        In fact, they should have issued another CVE, no..

        Reply
Related Kaspersky Products & Services
EDR
SIEM
XDR
MDR

Table of Contents

Reports

Threats

Threats

Categories

Categories

Other sections

© 2026 AO Kaspersky Lab. All Rights Reserved.
Registered trademarks and service marks are the property of their respective owners.