GreenPlasma, MiniPlasma & RoguePlanet: Anatomy of 2026’s Chaotic Eclipse Windows SYSTEM Zero-Days

Three local privilege escalation bugs, three trusted Windows subsystems, one researcher with a grudge and a public timeline. Between April and June 2026 the persona known as Nightmare Eclipse (also Chaotic Eclipse) burned a string of Windows LPE zero-days that all share a nasty property: they pop NT AUTHORITY\SYSTEM on fully patched Windows 10 and 11. We’re gonna pull apart the three most instructive of them — GreenPlasma, MiniPlasma, and RoguePlanet — because each is a clean specimen of a vulnerability class every red teamer and defender should have internalized by now. And because one of them is still unpatched as I write this.

The Chaotic Eclipse campaign in context

This isn’t a normal coordinated-disclosure story. Nightmare Eclipse has dropped six Windows zero-day exploits since early April 2026 — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma — in what multiple researchers read as a retaliatory campaign following an alleged breakdown in communication with Microsoft. Three of the earlier ones (BlueHammer / CVE-2026-33825, RedSun / CVE-2026-41091, UnDefend / CVE-2026-45498) were exploited in the wild before patches shipped.

The platform takedowns made it worse, not better. GitHub terminated the Nightmare-Eclipse account and wiped all six exploit repos on May 23, 2026; GitLab suspended the mirror on May 26. Within hours the code was on paste sites, forums, and alternative Git hosts — the classic Streisand acceleration. By the time you read a takedown notice, the artifact is already in fifty other places.

For defenders the lesson isn’t “watch this one actor.” It’s that the targets keep coming from the same place: long-lived, high-privilege Windows components that have to touch attacker-controllable data by design. Here’s the lineup we’re dissecting:

Why your security stack is the attack surface

There’s an uncomfortable pattern in all three: the vulnerable code is part of a trusted, privileged, always-on Windows service that exists to process input from low-privilege contexts. That’s not coincidence — it’s the structural definition of a privileged intermediary, and it’s where local EoP lives.

Think about what each of these services has to do:

• CTF / ctfmon.exe runs to broker text, voice, and handwriting input across every interactive session. By design it reads files and named objects that lower-privilege apps can influence.
• cldflt.sys is a filesystem mini-filter sitting in the I/O path under OneDrive, hydrating placeholder files on demand. It makes security decisions about files that standard users create and manipulate.
• MsMpEng.exe — Defender’s engine — opens, reads, and remediates every file an attacker drops. Its entire job is to handle hostile input as SYSTEM.

When a SYSTEM-level process performs a file or object operation using a name that a standard user can influence — or makes a security decision at one instant and acts on it at another — you have the raw material for elevation. The privilege boundary the attacker wants to cross is already being straddled by the service on every single operation. The print spooler, Task Scheduler, the Defender update mechanism in BlueHammer — it’s the same well, hit over and over.

ATT&CK-wise, the whole campaign maps cleanly:

The two bug classes you need cold: link following and TOCTOU

Before the deep dives, internalize the two CWEs, because all three exploits are variations on them.

CWE-59 — Improper Link Resolution Before File Access (“link following”). A privileged process opens a resource by name. An attacker controls some component of that name space — a directory entry, an Object Manager namespace entry, a filesystem path — and plants a reparse point, NTFS junction, hard link, or Object Manager symbolic link so the name resolves to a target the attacker chose but the privileged process never intended. The service follows the link with its own token. If the operation is a write or a create, you now have an arbitrary write as SYSTEM.

CWE-362 — TOCTOU (Time-of-Check to Time-of-Use). A privileged process performs two non-atomic steps against a named resource: a check (validate this path / this file is safe) and a use (act on that path). Between those two instants there’s a window. If the attacker can swap what the name points to during the window, the check passes against benign content and the use operates on malicious content. The fix is almost always the same: stop re-resolving the name. Open once, get a handle, and do both the check and the use against that handle so the kernel object identity is pinned.

Notice these aren’t unrelated. A link-following bug is frequently how you win a TOCTOU race — you swap a directory entry for a reparse point at the right moment. RoguePlanet is literally classified both ways (more on that below), and that’s not a contradiction.

GreenPlasma: CTF, the Object Manager namespace, and a followed link

CVE-2026-45586 lives in the Windows Collaborative Translation Framework, implemented by the CTF Monitor process ctfmon.exe. CTF is the plumbing behind the Text Services Framework (TSF) — the COM-based input stack exposing interfaces like ITfInputProcessorProfiles and ITfCompartmentMgr, brokered through ctfmon.exe and TextInputHost.exe. It’s elevated in certain contexts and it talks to many apps at once, which is exactly why it’s a juicy target.

The root cause is CWE-59. CTF builds a path or named-object name and accesses it without verifying that the name resolves where it expects. Reporting describes GreenPlasma as letting an unprivileged user cause CTF to create section/object resources inside SYSTEM-writable locations — i.e., the attacker redirects a privileged file/object operation to a target of their choosing.

The vulnerable pattern looks like this. A privileged service composes a name from partly-controllable input and opens it without canonicalizing or rejecting reparse points:

// Illustrative of the CWE-59 pattern in a privileged service — NOT the actual CTF code path.
// The flaw: a name is built and opened with the service's (SYSTEM) token,
// with no reparse-point/canonicalization check between build and open.

HANDLE OpenSessionObject(DWORD sessionId, PCWSTR objectLeaf)
{
    WCHAR path[MAX_PATH];
    // Name partly derived from a value a lower-privileged caller can influence.
    swprintf_s(path, MAX_PATH,
               L"\\Sessions\\%lu\\BaseNamedObjects\\%s", sessionId, objectLeaf);

    // BUG: opened by NAME with the service token. If 'path' (or a parent in the
    // namespace) has been replaced with an Object Manager symlink, the create/open
    // is redirected — and the service follows it as SYSTEM.
    return CreateFileW(path, GENERIC_WRITE, 0, NULL,
                       OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    // FIX: open O_NOFOLLOW-equivalent (FILE_FLAG_OPEN_REPARSE_POINT) and reject,
    // or impersonate the caller so the open happens under the caller's token.
}

The redirection primitive a standard user can plant lives in the Object Manager namespace. A user can create a symbolic link object in their own session’s \Sessions\<n>\BaseNamedObjects\ and point it wherever the privileged operation will land:

// Conceptual redirection primitive — Object Manager symlink in the caller's session.
// This is the standard "control the namespace, let the privileged service follow it" idea.
NTSTATUS PlantRedirect(PCWSTR linkName, PCWSTR target)
{
    UNICODE_STRING uLink, uTarget;
    OBJECT_ATTRIBUTES oa;
    HANDLE hLink;

    RtlInitUnicodeString(&uLink,   linkName);   // e.g. \Sessions\1\BaseNamedObjects\<leaf>
    RtlInitUnicodeString(&uTarget, target);     // attacker-chosen destination
    InitializeObjectAttributes(&oa, &uLink, OBJ_CASE_INSENSITIVE, NULL, NULL);

    // Standard user can create symlinks in their own BaseNamedObjects directory.
    return NtCreateSymbolicLinkObject(&hLink, SYMBOLIC_LINK_ALL_ACCESS, &oa, &uTarget);
}

When CTF, running with the elevated token, resolves the name, it traverses the attacker’s link and performs its create/write against the redirected target. Turn that into a controlled write to a location SYSTEM trusts — a DLL search path, a service binary, a section another privileged process maps — and you’ve got code execution as SYSTEM.

Microsoft rated it Important, CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and confirmed it was publicly disclosed before a fix existed — a genuine zero-day. The fix shipped in the June 9, 2026 update, covering Windows Server 2012 through Windows 11 26H1. The patch class for this is exactly what you’d expect: canonicalize and reject reparse points on the privileged open, or impersonate the requesting caller so the operation no longer happens with the SYSTEM token.

MiniPlasma: a 2020 Forshaw bug that walked back into Windows 11

MiniPlasma is the one that should make you angry as an engineer, because it’s a regression. It targets CVE-2020-17103, a flaw James Forshaw of Google Project Zero reported in September 2020 and Microsoft patched in December 2020. Chaotic Eclipse’s claim — and the working PoC backs it — is that the fix either never properly applied or was silently rolled back, and the original PoC still works on current Windows 11 and Server 2022/2025, modified to spawn a SYSTEM shell instead of just creating registry keys.

The bug is in the Cloud Files mini-filter driver, cldflt.sys — the kernel component behind OneDrive’s “Files On-Demand.” It sits in Filter Manager at altitude 180000–189999 and intercepts I/O to placeholder files: stubs on disk that get hydrated (their real content fetched) when something opens them. The vulnerable logic involves the undocumented CfAbortHydration API and the internal routine HsmOsBlockPlaceholderAccess, which makes access decisions on placeholder I/O. Forshaw’s original finding was that arbitrary registry keys could be created in the .DEFAULT user hive (HKEY_USERS\.DEFAULT) without proper access checks — and that’s an arbitrary-write-as-SYSTEM primitive.

The trigger uses thread token impersonation to win a race in the filter callback. Conceptually: the user-mode side drives the placeholder lifecycle through documented Cloud Files entry points while controlling the security context the filter sees mid-operation.

// Illustrative of the Cloud Files placeholder lifecycle the filter callbacks hang off.
// The race lives between the access decision (HsmOsBlockPlaceholderAccess) and the
// follow-on operation while the calling thread's token is manipulated.

#include <cfapi.h>

void DrivePlaceholder(PCWSTR placeholderPath)
{
    CF_CONNECTION_KEY conn;
    HANDLE hFile;

    // Open the placeholder requesting an oplock so the driver hands us a hydration
    // callback we can stall on — this is the lever that widens the window.
    CfOpenFileWithOplock(placeholderPath, CF_OPEN_FILE_FLAG_WRITE_ACCESS, &hFile);

    // Kick hydration. The filter's HsmOsBlockPlaceholderAccess path runs its access
    // check here. If the caller's thread token is swapped between the check and the
    // privileged follow-on (the .DEFAULT registry key creation), the check is made
    // against one context and the action taken under another.
    CF_OPERATION_INFO op = { sizeof(op) };
    CfHydratePlaceholder(hFile, 0, -1, CF_HYDRATE_FLAG_NONE, NULL);

    // --- attacker-controlled window: SetThreadToken / ImpersonateLoggedOnUser ---
    // (deliberately not reconstructed — the point is WHERE the gap is, not a recipe)

    CfCloseHandle(hFile);
}

The defensive takeaway for builders is bigger than this one driver: a security patch without a regression gate on every shipping branch is half a patch. A fix that lands in one servicing branch and silently misses another is how a 2020 CVE gets a 2026 SYSTEM shell. MiniPlasma was re-fixed in the June 2026 Patch Tuesday alongside GreenPlasma and YellowKey.

RoguePlanet: turning Defender’s quarantine against itself

Now the one that’s still live. I’m going to walk the mechanism and the detection in full, and I’m deliberately not going to hand you the race-widening chain, because as of this writing there’s no patch and a functional public PoC already exists. Defenders need the model. Nobody needs another copy of the weapon.

CVE-2026-50656, RoguePlanet, is a TOCTOU race in the Microsoft Malware Protection Engine — MsMpEng.exe, running as NT AUTHORITY\SYSTEM. MSRC published the advisory on June 16, 2026. CVSS 7.8, but look at the vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The AC:H is the tell — High attack complexity reflects that you’re racing, and races are probabilistic. The researcher put it plainly: “it’s a hit or miss… I have managed to get a 100% success rate on some machines while it struggled to work on others.”

The mechanism is the textbook CWE-362 pattern dressed up in a security product. During a scan-and-remediate flow, Defender:

1. Checks a file by path — validates it, classifies it, decides to act.
2. Uses the path — reopens it to read, quarantine, or remove.

Those two steps are non-atomic and both resolve a name. The exploit lives in the gap. Swap what the path resolves to between check and use — benign content at check time, attacker-chosen target at use time — and Defender performs its SYSTEM-privileged remediation action against something it never validated. Howler Cell’s framing is exact: RoguePlanet turns Defender’s own quarantine process against it.

This is also why MSRC tags it CWE-59 while analysts call it CWE-362, and both are right. The underlying mechanic is the TOCTOU window (CWE-362); the exploitable symptom is that the path swapped during the window is a link/reparse resolution issue (CWE-59). The race is the door; link following is what you shove through it.

Here’s the abstract anti-pattern, and the fix, side by side — generic, not Defender’s code:

// VULNERABLE: check and use both re-resolve the NAME. Window between them.
int remediate_by_name(const wchar_t *path) {
    if (classify(path) != BENIGN)          // TIME OF CHECK: resolves 'path'
        return BLOCKED;
    // <-- attacker swaps what 'path' points to during this window -->
    return act_on(path);                   // TIME OF USE: re-resolves 'path'
}

// FIXED: resolve ONCE to a handle (kernel object identity), check & use the handle.
int remediate_by_handle(const wchar_t *path) {
    HANDLE h = open_no_reparse(path);      // single resolution, reject reparse points
    if (h == INVALID_HANDLE_VALUE) return ERROR;
    int verdict = classify_handle(h);      // check against the pinned object
    if (verdict != BENIGN) { CloseHandle(h); return BLOCKED; }
    int rc = act_on_handle(h);             // use the SAME object — no re-resolution
    CloseHandle(h);
    return rc;
}

Two things about the public PoC’s shape matter for defenders without giving anyone a recipe. First, the window gets widened by stalling the privileged thread at the check — the general family here is opportunistic locks: arm an oplock on the target so the privileged open triggers an oplock break that pauses MsMpEng exactly where you want it, giving the swap plenty of time. Second, the current PoC depends on mounting an ISO as a standard user as part of staging the swap, which is precisely why “the exploit does not work on Windows Server in its current form — standard users cannot mount an ISO image.” Both of those are detection and hardening levers, which is the whole point of knowing them.

Status as of June 19, 2026: Remediation Level Unavailable, Exploit Code Maturity Functional, no update released. It hits fully patched Windows 10 and 11, including machines on the June 2026 cumulative update KB5094126, and ThreatLocker independently reproduced it on fully patched Windows 11. Microsoft’s line: “We are working to provide a high-quality security update… We will provide information in this CVE when the update is available.” Until then, detection is the control.

June 2026 Patch Tuesday: the scorecard

The June 9/Patch Tuesday batch was large — north of 200 CVEs across the month’s servicing, with multiple zero-days addressed. For this trio specifically:

One nuance that trips people up: Defender’s engine (AMEngineVersion) updates independently of OS cumulative updates, through the Defender platform/engine channel. When the RoguePlanet fix lands, it’ll likely arrive as an engine/platform bump, not necessarily a Tuesday CU — so don’t gate your patch verification solely on KB presence.

Detection & Defense

For RoguePlanet this section isn’t optional — it’s your only control. For the other two it’s defense-in-depth and threat hunting after you’ve patched.

Sysmon

The single highest-signal rule across all three: MsMpEng.exe should essentially never be a ParentImage for a shell. If Defender’s engine spawns cmd.exe, powershell.exe, or wscript.exe, treat it as RoguePlanet-class until proven otherwise.

title: MsMpEng spawning interactive shell (RoguePlanet-class EoP)
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\MsMpEng.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
level: critical
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.t1562.001

title: ctfmon.exe anomalous child or out-of-namespace object (GreenPlasma-class)
logsource:
  product: windows
detection:
  proc:
    ParentImage|endswith: '\ctfmon.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  obj:
    Image|endswith: '\ctfmon.exe'
    TargetObject|contains: '\BaseNamedObjects\'
  filter_legit:
    TargetObject|startswith: '\Sessions\'
  condition: proc or (obj and not filter_legit)
level: high
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.t1574

ETW providers

Verify provider GUIDs on your own build (logman query providers / Get-WinEvent -ListProvider) — they drift across Windows versions, so don’t hardcode from a blog.

Audit policy

Turn on the categories that actually catch these primitives:

• Object Access → File System / Kernel Object: 4663/4656/4659/4660 on the Defender quarantine folder and CTF temp paths.
• Privilege Use → Sensitive Privilege Use: 4673/4674 — flag SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege use by unexpected callers (MiniPlasma’s impersonation race).
• Detailed Tracking → Process Creation: 4688 with command-line logging (ProcessCreationIncludeCommandLine = 1 via GPO).

Defender’s own log

Microsoft-Windows-Windows Defender/Operational — watch 1116 (malware detected), 1117 (action taken), 1118/1119 (remediation result), and especially 5007 (config change). Unexpected exclusion additions via 5007 are a classic post-EoP move; an attacker who just won RoguePlanet will often carve out an exclusion next.

MDE / Advanced Hunting

// RoguePlanet-class: Defender engine parenting a shell, or writing outside quarantine
DeviceProcessEvents
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName

DeviceFileEvents
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where ActionType in ("FileCreated","FileModified")
| where FolderPath !contains @"\Windows Defender\Quarantine"
| project Timestamp, DeviceName, FolderPath, FileName, ActionType

Hardening, with the RoguePlanet specifics

# Confirm June 2026 CU and a current Defender engine — engine updates out-of-band,
# so don't trust the KB alone.
Get-HotFix | Where-Object HotFixID -eq 'KB5094126'
$s = Get-MpComputerStatus
$s | Select-Object AMEngineVersion, AMProductVersion, RealTimeProtectionEnabled, IsTamperProtected

# Compensating control for RoguePlanet: hunt the race-widening staging.
# 1) ISO mounts by standard users (the current PoC's Win-client-only dependency).
Get-WinEvent -LogName 'Microsoft-Windows-VHDMP-Operational' -MaxEvents 200 -EA SilentlyContinue |
  Where-Object { $_.Id -in 1,2,12,22 } |
  Select-Object TimeCreated, Id, Message

# 2) Long-held / anomalous activity around the Defender quarantine store.
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4663 } -MaxEvents 500 -EA SilentlyContinue |
  Where-Object { $_.Message -match 'Quarantine' }

Concrete actions, ordered by impact:

1. Patch GreenPlasma and MiniPlasma now — June 2026 update (KB5094126 / per-OS equivalent).
2. Watch CVE-2026-50656 on the MSRC update guide and deploy the engine fix the moment it ships; verify via AMEngineVersion, not just KB presence.
3. Tamper Protection ON. Stops the attacker disabling Defender or carving exclusions after winning the race — and removes a whole class of follow-on.
4. Restrict ISO/VHD mounting for standard users (WDAC/AppLocker around virtual disk ops, lock down vds/StorSvc exposure). On clients this directly degrades the current RoguePlanet staging; on Server it’s already moot, which is exactly why the PoC fails there.
5. Alert on MsMpEng.exe as a process parent — the cleanest, lowest-false-positive RoguePlanet signal you have.
6. Least privilege and interactive-logon hygiene. Every one of these needs a local foothold first. Shrink the population of standard users who can reach these surfaces.

Key takeaways

• Trusted security components are first-class attack surface. CTF, the Cloud Files filter, and Defender all process attacker-influenced input as SYSTEM by design. Treat your security stack as code that handles hostile data — because it does.
• Link following and TOCTOU are the same fight. Both come down to a privileged process trusting a name it shouldn’t. The durable fix is identical: resolve once to a handle, reject reparse points, and operate on the pinned kernel object — never re-resolve the name between check and use.
• A patch that misses a branch is a 2026 zero-day waiting to happen. MiniPlasma is a 2020 Forshaw bug that walked back into shipping Windows. Regression gates across every servicing branch aren’t optional.
• For unpatched RoguePlanet, detection is the control. MsMpEng.exe parenting a shell, writes outside the quarantine store, standard-user ISO mounts, and 5007 exclusion changes are your tripwires until the engine update lands. Tamper Protection plus ISO-mount restrictions meaningfully raise the cost of the race today.
• Takedowns don’t contain working exploits. By the time the repo is gone, the artifact is everywhere. Plan your defense as if the PoC is already on every box that matters — because operationally, it is.

Related Tutorials

• x86 and x64 Calling Conventions: cdecl, stdcall, fastcall, and System V
• System Calls and SSDT: How User Mode Reaches the Kernel
• Windows File System Internals (NTFS)

References

• New Windows ‘MiniPlasma’ Zero-Day Exploit Gives SYSTEM Access, PoC Released — BleepingComputer
• Microsoft Defender ‘RoguePlanet’ Zero-Day Grants SYSTEM Privileges — BleepingComputer
• Microsoft Patches YellowKey, GreenPlasma, MiniPlasma Zero-Days — BleepingComputer
• Nightmare-Eclipse: Six Zero-Days, Six Weeks and One Big Grudge — Barracuda Networks Blog
• RoguePlanet: Windows Zero-Day Weaponizes Defender Quarantine Pipeline — Cyderes Howler Cell
• MiniPlasma: Windows Privilege Escalation Zero-Day Affects Fully Patched Systems — ThreatLocker Blog