Microsoft Windows LPE: Nightmare Eclipse Resurfaces Old CVE-2020-17103 Flaw

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitymicrosoftthreat-intel
Microsoft Windows LPE: Nightmare Eclipse Resurfaces Old CVE-2020-17103 Flaw

Security researcher Nightmare Eclipse claims Microsoft has failed to adequately patch CVE-2020-17103, a vulnerability originally reported by James Forshaw of Google Project Zero in 2020. According to LΣҒΔ𝕽ΩLL 🇮🇱, Nightmare Eclipse asserts that after re-examining the affected code area within cldflt.sys, the Local Privilege Escalation (LPE) issue persists. This suggests either the original patch was incomplete or the flaw was inadvertently reintroduced.

Nightmare Eclipse has reportedly published a Proof-of-Concept (PoC) on GitHub that achieves SYSTEM-level privileges on Windows. LΣҒΔ𝕽ΩLL 🇮🇱 emphasizes that this is not a zero-day but rather a resurfaced vulnerability from years ago, highlighting a potential oversight in Microsoft’s patching process. It underscores that even with significant resources, patching can be flawed, leaving systems exposed to previously identified weaknesses.

This LPE requires an attacker to already have access to the machine, meaning it’s not an internet-facing exploit. However, it’s a critical post-exploitation capability. An attacker who gains an initial foothold can leverage this to gain full control, bypass security controls, and deploy further malware or persist on the network. Defenders cannot dismiss LPEs; they are often the final step in a successful breach.

What This Means For You

  • If you manage Windows environments, this isn't a theoretical threat. This is a known vulnerability, CVE-2020-17103, that might not be fully mitigated even if you applied the original patch. Immediately re-evaluate your patch status for this specific CVE and look for any subsequent updates related to `cldflt.sys`. Assume any initial access on a Windows machine could lead to SYSTEM privileges if this flaw is indeed exploitable.

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

Privilege Escalation via cldflt.sys LPE - Nightmare Eclipse

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2020-17103 Privilege Escalation Microsoft Windows Local Privilege Escalation (LPE) via cldflt.sys
CVE-2020-17103 Affected Component cldflt.sys driver in Microsoft Windows
CVE-2020-17103 Affected Product Microsoft Windows

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor microsoft.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related coverage on Microsoft

Critical NGINX Vulnerability: PoC Code Publicly Released

SecurityWeek reports that proof-of-concept (PoC) code has been publicly released for a critical-severity vulnerability affecting NGINX Plus and NGINX open-source versions. This flaw, present since...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma

Funnel Builder WordPress Plugin Exploited to Steal Credit Cards

A critical vulnerability in the Funnel Builder plugin for WordPress is under active exploitation, according to BleepingComputer. Attackers are injecting malicious JavaScript snippets directly into...

threat-inteldata-breachmalwarevulnerability
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs /⚙ 3 Sigma

Turla Transforms Kazuar Backdoor into Modular P2P Botnet

The Russian state-sponsored hacking group Turla has evolved its custom backdoor, Kazuar, into a sophisticated modular peer-to-peer (P2P) botnet. This upgrade, reported by The Hacker...

threat-intelvulnerabilitymalware
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs /⚙ 4 Sigma