In a stunning revelation that underscores the persistent risks in modern operating systems, a security researcher has brought to light a critical zero-day vulnerability in Windows—one that was supposedly fixed years ago. Dubbed CVE-2020-17103, this flaw grants attackers full system-level access, and despite Microsoft's claimed patch in late 2020, the issue remains very much alive. Here are ten essential things you need to know about this alarming threat.
1. What Is CVE-2020-17103?
CVE-2020-17103 is a security vulnerability hiding deep within Windows core components. It was first documented back in 2020, but researchers now confirm it was never fully resolved. The flaw essentially bypasses access controls, allowing an attacker with limited user privileges to escalate their rights all the way to SYSTEM—the highest level of authority on any Windows machine. Once there, they can install programs, view or delete data, and create new accounts with full permissions. Think of it as a skeleton key that unlocks every door in the operating system.
2. Microsoft Promised a Patch—But It Didn't Stick
When Microsoft originally addressed CVE-2020-17103 in December 2020, security experts believed the fix was permanent. However, the researcher known as Nightmare-Eclipse (also called Chaotic Eclipse) discovered that the exact same issue persists. In his own words: "After investigating, it turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched." He speculates that the patch may have been silently rolled back or never truly applied. This broken promise leaves millions of systems exposed years later.
3. The Researcher Behind the Discovery
Nightmare-Eclipse is no stranger to high-impact vulnerabilities. He actively hunts for flaws in Microsoft software and has a track record of releasing proof-of-concept exploits to force immediate attention. For CVE-2020-17103, he created a tool called MiniPlasma to demonstrate the danger. His irritation with Microsoft's lax patching is evident: he doesn't just report bugs; he publicly proves they exist, often sharing code to show how easily attackers could weaponize them. This approach keeps the pressure on Redmond to deliver real fixes.
4. MiniPlasma: A Proof-of-Concept That Spawns a System Shell
The MiniPlasma exploit is both elegant and terrifying. It runs a simple program that, upon success, opens a command shell with SYSTEM-level privileges. That means an attacker can execute any command—from deleting system files to installing malware—without any user interaction beyond initial access. Nightmare-Eclipse published the exploit on GitHub, not to arm criminals, but to show that the vulnerability is easily reproducible. The original Google proof-of-concept from 2020 also works without modification, confirming that nothing has changed in years.
5. How Google Project Zero Fits In
Google's elite cybersecurity team, Project Zero, originally reported CVE-2020-17103 to Microsoft. At the time, Project Zero was known for its strict 90-day disclosure deadlines. After the patch was released, the issue faded from public view—until now. Nightmare-Eclipse's tests confirm that the very same technique Project Zero demonstrated still works. This is a troubling sign that Microsoft's security lifecycle may have gaps, where fixes are either incomplete or inadvertently rolled back during updates.
6. Every Windows Version Is at Risk
The researcher believes this flaw affects all supported versions of Windows, including Windows 11, Windows 10, and server editions. While he didn't test every single build, the underlying code path appears universal. That means an attacker could target a wide range of devices—from home laptops to corporate servers. The scale of potential exploitation is enormous, especially since no specific update has been rushed out since this reexposure.
7. A Race Condition Makes Exploitation Tricky but Doable
One warm blanket: the exploit isn't 100% reliable. Nightmare-Eclipse notes that success rates vary due to a race condition—a timing-based conflict between system processes. In practice, an attacker might need to run the exploit multiple times or under specific load conditions before gaining SYSTEM access. However, this is a minor obstacle for determined hackers. Automation and scripting can eventually overcome the randomness, especially if the target system is left idle for attacks to loop.
8. This Researcher Has a History of Poking Microsoft
Nightmare-Eclipse doesn't stop at Windows kernel flaws. Last month, he released an exploit for the RedSun vulnerability in Microsoft Defender, the built-in antivirus. That flaw allowed privilege escalation via scheduled scans. By repeatedly releasing working exploits, he's earned a reputation as a thorn in Microsoft's side—and a boon for security awareness. His public data forces both Microsoft and users to confront risks that might otherwise stay hidden in private bug databases.
9. What Attackers Can Do with Full System Access
Gaining SYSTEM access is a hacker's dream. With this privilege, an attacker can bypass all user account controls, disable security software, steal encrypted data from memory, and even install rootkits. They can also move laterally across networks, compromising other machines. For enterprise environments, this means a single exploited workstation can become a beachhead for ransomware, data exfiltration, or espionage. The vulnerability effectively neutralizes Windows' multi-layered security model.
10. Steps You Can Take to Protect Yourself
Given that Microsoft has not re-issued a patch, users must adopt proactive defenses. While keeping Windows updated is still wise, it won't fix this specific flaw yet. Strengthen your system with a reliable antivirus that includes behavior-based detection—something that can spot exploit patterns. Also consider a VPN to encrypt internet traffic and reduce attack surface. Restrict user permissions: if you don't need admin rights, don't use them. Finally, monitor for unusual system shells or processes; visibility tools can catch MiniPlasma-like activity early.
Conclusion
The re-emergence of CVE-2020-17103 is a stark reminder that patching isn't always permanent. Microsoft may have intended to fix this flaw six years ago, but the proof-of-concept works today without a hitch. As security researchers continue to spotlight these blind spots, users must stay vigilant and layer their defenses. While we await an official fix, understanding the threat and hardening your system is the best strategy to keep hackers from walking through an unlocked door.