Cybersecurity May 18, 2026 · 3 min read

Microsoft ‘Fixed’ a Windows Zero-Day in 2020 — A Researcher Just Proved It Still Works in 2026, and Published the Exploit on GitHub as a Resignation Letter to the Bug Bounty Program

🤚 The Open-Palm Patch That Wasn’t

In September 2020, a Google Project Zero researcher named James Forshaw discovered a privilege escalation vulnerability in the Windows Cloud Filter driver (cldflt.sys). Specifically, the HsmOsBlockPlaceholderAccess routine mishandled registry key creation through an undocumented CfAbortHydration API, allowing arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks. Standard users could escalate to SYSTEM-level privileges.

Microsoft reportedly patched it in December 2020. The vulnerability was closed. The ticket was resolved. Everyone moved on with their lives.

Except the vulnerability didn’t actually go away. It just waited.

On May 17, 2026, a security researcher operating under the name “Chaotic Eclipse” published a full proof-of-concept exploit — source code and compiled executable — on GitHub, demonstrating that this exact same flaw still works on fully patched Windows 11 Pro systems, including those updated through May 2026’s Patch Tuesday. Windows Server 2022 and 2025 are also believed to be affected.

BleepingComputer confirmed the exploit works. Will Dormann of Tharsos independently verified it on Windows 11, noting it only failed on the latest Insider Preview Canary build — which, for those keeping score, approximately nobody runs in production.

👐 The Two-Handed Protest Filing

Here’s where it gets personal. Chaotic Eclipse didn’t release this exploit because they enjoy chaos (the name notwithstanding). They released it as part of a public protest against Microsoft’s vulnerability handling and bug bounty process. In their words, the disclosure came after “negative experiences” with the way Microsoft handles security reports.

Let’s appreciate the timeline:

  • 2020: Google Project Zero finds the bug
  • 2020: Microsoft says they fixed it
  • 2021–2025: Everyone trusts this is true because who checks?
  • 2026: A researcher checks. It’s not true.

Six years. The vulnerability sat in production Windows installations for six years after being “resolved.” Either Microsoft never actually patched it, or they patched it and then accidentally un-patched it in a subsequent update. Both options are, to use the technical term, not great.

Microsoft’s official response to BleepingComputer was the corporate equivalent of a form letter: they “support coordinated vulnerability disclosure” and are “committed to investigating reported security issues.” Which is exactly what you say when a researcher just proved you didn’t investigate the last one.

🌿 The Gentle Awakening

There is something deeply philosophical about a security patch that doesn’t actually patch anything. It’s a Potemkin fix — a CVE entry that exists purely to reassure vulnerability scanners and compliance auditors that yes, this was handled, the checkbox is checked, the dashboard is green.

Every CISO who ran a vulnerability scan between 2021 and last Saturday received a clean bill of health for CVE-2020-17103. Every audit passed. Every compliance framework was satisfied. The paperwork was immaculate. The vulnerability was also fully functional.

This is the fundamental paradox of modern enterprise security: we have replaced actual security with evidence of security. The patch exists. The advisory was published. The ticket was closed. Therefore, we are safe. That the underlying code still allows a standard user to become SYSTEM is, apparently, a detail.

👑 The Gold-Leaf Bug Bounty Reckoning

Chaotic Eclipse’s protest raises a question that the security industry has been politely ignoring for years: what happens when the world’s most-used operating system has a bug bounty program that researchers actively distrust?

Microsoft’s bug bounty has been a subject of researcher frustration for some time. Complaints range from low payouts to slow response times to — as we see here — failing to actually fix the reported vulnerabilities. When a researcher decides that publishing a working SYSTEM-level exploit on GitHub is preferable to engaging with your security team, your process has not merely failed. It has failed so comprehensively that the failure itself has become a form of advocacy.

The broader industry should take note. Windows runs on over a billion devices. The Cloud Filter driver (cldflt.sys) ships with every installation. A privilege escalation to SYSTEM means any malware that lands on your machine with user-level access can promote itself to God mode. And the only reason we know about it is because someone got so frustrated with Microsoft’s bug handling that they decided to burn the house down on a Saturday.

If you’re a Windows administrator: there is currently no patch available. Your mitigation options are limited to monitoring and prayer. Welcome to the weekend.

“The vulnerability was patched in 2020. The vulnerability was also exploitable in 2026. Both of these statements are in the CVE database, and both of them are considered accurate. We have achieved quantum security.” — The Slap of Wisdom Patch Management Bureau, updating its spreadsheet of things that are technically true