RSS

MiniPlasma, a Powerful LPE

throwaway20271 pts0 comments

Chaotic Eclipse: May 2026

Friday, 15 May 2026

MiniPlasma, a powerful LPE

-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512

This one is accidental, I didn't even think cldflt.sys had that vulnerability. Turns out CVE-2020-17103 patch is just not present at all ?

The new PoC was tested against fully patched Windows 11 and Windows Server 2025 and managed to flawlessly spawn a SYSTEM shell.

https://github.com/Nightmare-Eclipse/MiniPlasma<br>-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCaggLWQAKCRDFFoRCS0/S<br>bHKSAP4/bkKYCDTKZvq5WoUsWKuYgWBvlfun8KYJtNgYREezVAEAj8cg30Pjcjcu<br>REzr4eniahPoc6bleEEos0PwVOUa5AA=<br>=oct9<br>-----END PGP SIGNATURE-----

at

May 15, 2026

No comments:

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest

Thursday, 14 May 2026

Important updates regarding YellowKey and GreenPlasma

-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512

Recently two researchers had interesting discoveries regarding YellowKey and GreenPlasma,

The YellowKey is caused by the binary "autofstx.exe" which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I'm unsure if it's possible to trigger the controlled file deletion when windows is updating. If it's true, then it means disabling WinRE is not a solution for the problem, which also means it's a good thing that I kept the PIN+TPM PoC a secret.

Regarding GreenPlasma, I'm unaware if anyone managed to make a full exploit yet but people are trying hard to make it work as it obviously violate a windows security boundary. The thing is, another researcher noticed one of my techniques to write in a protected registry key in HKCU (which isn't a security boundary) but they also told me that hypothetically speaking, this technique could be used to write in another user's hive which is obviously an EoP.<br>This technique that I used was inspired by a google project zero finding :<br>https://project-zero.issues.chromium.org/issues/42451192<br>After reading this issue, I attempted to figure out how Microsoft patched the issue but I never found out how ? At that point I was a bit too tired so i thought maybe it's something I missed and it's definitely patched. To my surprise, this researcher that reached regarding this thing, have managed to re-reproduce the issue in a fully patched windows 11 machine + windows insider preview. Which means this was an elevation of privileges vulnerability that was sitting in plain sit for god long knows how long.

I have not tested if either YellowKey or GreenPlasma news are true but I believe they are, I uploaded CVE-2020-17103 PoC directly project zero to github in case project zero decides to remove it. It will still be there in github.<br>-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagY6/AAKCRDFFoRCS0/S<br>bKCyAP4+yIbtuhyKUm84UHUZmJ3R7H51ySfYfaDdg4RO7aUxhAEA8uv36AM1norC<br>qnuG00ATch/ugDM8lNHPqM4ywZ6Kxg4=<br>=rzJa<br>-----END PGP SIGNATURE-----

at

May 14, 2026

No comments:

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest

Wednesday, 13 May 2026

We're doing silent patches now huh, also a quick note about YellowKey

-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512

I just noticed that Microsoft silently patched the RedSun vulnerability, no CVE, no nothing, just a silent patch. Not surprised they never admit their mistakes but considering it was under active exploitation, having zero advisory is insane.

Now regarding YellowKey, lots of you are wondering how does one even find such backdoor ?<br>I'll tell you how, it took me more time trying to get it to work than the amount of sleep I had in two years combined. No AI involved, no help in any shape or form. I could have made some insane cash selling this but no amount of money will stand between me and my determination against Microsoft.<br>Funny thing is, no one and I say again NO ONE has managed to figure out how YellowKey works, the real root cause is still not unknown by the general public. I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden.<br>Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.

I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagRfWwAKCRDFFoRCS0/S<br>bDlGAP42z1Tck5TFPhaUbrC7WHcDwzr/ajAPLfj2ttXKfph30gEAm0KIZyf874gb<br>WAAGxop9J4RtzHIcQG6iPd1UqmWxhwM=<br>=xXqu<br>-----END PGP SIGNATURE-----

at

May 13, 2026

1 comment:

Email...

windows yellowkey begin signature think vulnerability

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.