A Windows Bug Microsoft Fixed in 2020 Is Live Again

MiniPlasma is the technical story. The week also produced two more data points about how Microsoft handles disclosures that don't fit neatly into MSRC's process. A researcher reported a critical Azure Backup for AKS flaw that let a Backup Contributor user reach Kubernetes cluster admin without any prior cluster permissions. Microsoft rejected the report on April 13, recommended against CVE assignment on May 4, and shipped changes that introduced new permission checks the researcher could observe but were never documented as a patch. CERT/CC took an intake number on the report but that does not constitute validation.

That pattern rhymes with April 28's Semantic Kernel chain, six bypasses ending in full RCE against Microsoft's own AI agent framework, that MSRC closed as "Developer Error" with mitigations quietly merged upstream. Three incidents inside a month carry the same shape: critical researcher report, contested rating or refused CVE, silent code change, no customer notification. MiniPlasma adds a fourth wrinkle the other two don't have. Microsoft contested NIST's CVSS 7.8 in 2020 and then never reissued the patch when the bug came back. The defensive consequence is the same across all three: enterprise SCA programs that triage off the CVE feed are working from a vendor's filtered view of its own product.

UK AISI's new benchmarks measure the longest autonomous penetration-testing task an AI model can complete with 80% success, across a suite of 95 cyber tasks at four difficulty tiers. The headline statistic is the doubling rate. In November 2025, the difficulty AISI's best-evaluated model could handle was doubling every eight months. By February it was 4.7. The latest Claude Mythos Preview and GPT-5.5 have both outpaced that curve. What is new this week is the specific environment they have now solved: "The Last Ones," a 32-step corporate-network simulation AISI built with SpecterOps, modelled on a real enterprise intrusion kill chain across four subnets and roughly twenty hosts. Claude Mythos Preview is the first model to clear it. The benchmark caps each run at 2.5 million tokens, which understates what a well-prompted attacker actually fields in production.

Synack's 2026 State of Vulnerabilities report puts the operational consequence in plain numbers. The average disclosure-to-exploit window dropped from 56 days in 2024 to roughly 10 hours in 2026, against 11,000+ exploitable vulnerabilities across customer environments. Pwn2Own Berlin 2026 wrapped this week with 47 zero-days and $1.298M paid out, including a chain DEVCORE's Cheng-Da Tsai used to get SYSTEM on Microsoft Exchange. The two numbers do not match. Mandiant's M-Trends 2026 puts industry mean time to remediation in the hundreds of days against an exploit window now measured in hours.

GitGuardian's 2026 State of Secrets Sprawl report counted 28.65 million new hardcoded secrets added to public GitHub commits in 2025, a 34% jump and the largest single-year increase ever recorded. AI-service credentials climbed 81% year over year. Inside that total, 24,008 unique secrets were exposed in MCP configuration files alone. Wiz's Moltbook writeup is the operational shape of those statistics. A vibe-coded social network for AI agents shipped with a Supabase database whose Row Level Security was disabled, plus a Supabase API key embedded in client-side JavaScript. Within minutes of looking, Wiz pulled 1.5 million authentication tokens, 35,000 email addresses, and private agent messages.

The receiving side is just as messy. Open-source maintainers are reporting a flood of low-quality AI-generated vulnerability reports, and GitHub has started requiring proof-of-concept submissions to reduce the noise. More code shipped without security review on one side, more low-signal reports drowning the volunteer triage queue on the other. The CISA contractor leak of AWS GovCloud keys Brian Krebs broke this week is the same failure mode at federal scale. Hardcoded secrets, public repo, no pre-commit gate.

Actively Exploited or Zero-Day

• MiniPlasma (no new CVE; CVE-2020-17103 regression) — Microsoft Windows Cloud Filter Driver (cldflt.sys) Working PoC by Chaotic Eclipse (a.k.a. Nightmare-Eclipse) reuses Google Project Zero's 2020 code unchanged against fully patched Windows 11 Pro (May 2026 updates). Race condition with variable success rate. Part of an ongoing disclosure spree (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma). ThreatLocker has detection guidance for the registry-key creation pattern. Researcher's GitHub

• CVE-2026-42945 — "Nginx Rift" — F5 NGINX — Heap Buffer Overflow (CVSS 9.2) 16-year-old heap overflow in ngx_http_rewrite_module. DoS on default configurations and RCE on systems with ASLR disabled. VulnCheck identified ~5.7M internet-exposed NGINX instances, though only deployments with specific rewrite configurations are exploitable. In-the-wild exploitation began within days of patch.

• CVE-2026-20182 — Cisco Catalyst SD-WAN Controller — Authentication Bypass Exploited as a zero-day by "a highly sophisticated cyber threat actor" per Cisco. Patched this week.

• CVE-2026-42897 — Microsoft Exchange Server — Cross-Site Scripting (Critical) Active in-the-wild exploitation per Microsoft's own advisory.

• CVE-2026-31635 (DirtyDecrypt / DirtyCBC) — Linux Kernel rxgk Module — Local Privilege Escalation Public PoC enables root escalation on Fedora, Arch, and openSUSE Tumbleweed with CONFIG_RXGK enabled. Reported May 9 by V12 security team and Delphos Labs; patched April 25. Same class as Dirty Frag and Copy Fail.

High Severity / Notable Research

• Claw Chain (CVE-2026-44112 / 44113 / 44115 / 44118) — OpenClaw AI Assistant — Sandbox Escape + Backdoor Delivery Cyera chained race conditions and exec-allowlist bugs into MCP loopback privilege escalation and a CVSS 9.6 arbitrary write outside sandbox. Over 60,000 publicly accessible OpenClaw instances identified. Patched April 23.

• Mini Shai-Hulud at @antv — npm — Third Variant in Four Weeks Aikido caught the worm hitting Alibaba's @antv namespace (450+ affected entries), echarts-for-react, and timeago.js. The variant now harvests stolen npm tokens, enumerates packages the operator can publish, and republishes them with a preinstall hook. Also writes to .vscode/tasks.json and .claude/settings.json. Saga continues from April's SAP campaign and last week's TanStack/SLSA bypass. OX Security separately tracked four leaked-source copycats shipped within 48 hours by threat actor deadcode09284814.

• Azure Backup for AKS Cluster-Takeover (no CVE issued) — Microsoft Azure — Privilege Escalation Justin O'Leary disclosed a flaw letting a "Backup Contributor" user gain cluster-admin without prior Kubernetes permissions. Microsoft rejected the report on April 13 and recommended against CVE assignment on May 4. Researcher observed new permission checks after disclosure indicating a silent patch.

• Pwn2Own Berlin 2026 — 47 Zero-Days, $1.298M Paid Out DEVCORE won Master of Pwn with 50.5 points and $505K total. Cheng-Da Tsai earned $200K for chaining three bugs into Microsoft Exchange RCE with SYSTEM. Vendors on a 90-day disclosure clock.

• Grafana Codebase Exfiltration — Stolen GitHub Token CoinbaseCartel (linked to ShinyHunters and Lapsus$ members) claimed the attack. Grafana refused the ransom and said no customer data was exposed.

• CFITSIO Weaponized Filenames — NASA HEASARC — Four Chained Offensive Primitives Doyensec's Adrian Denkiewicz demonstrates arbitrary file copy, SSRF, HTTP header injection, and local file exfil via root:// protocol chaining, with zero memory-corruption bugs. Advisory shared with NASA HEASARC team January 22, 2026. Reproducible Docker playground released.