Exploit Released for Four-Year-Old Kernel Vulnerability
A security researcher has published a fully functional exploit, dubbed 'MiniPlasma,' targeting a critical privilege escalation vulnerability in Microsoft Windows that was first disclosed in 2020 but remains unpatched. The exploit leverages proof-of-concept (PoC) code to achieve SYSTEM-level access on vulnerable systems.
According to the researcher, who shared the code under the alias 'MiniPlasmaDev,' the exploit works against all supported versions of Windows 10 and Windows 11, as well as Windows Server 2019 and 2022. The vulnerability, tracked as CVE-2020-24587, allows local attackers to elevate privileges from a low-integrity account to the highest system authority.
'The original PoC was functional but required manual tweaking,' the researcher stated in a forum post. 'MiniPlasma automates the entire chain, making it trivial for anyone with basic shell access to gain a SYSTEM shell.'
Technical Details
The exploit targets a race condition in the Windows Kernel Transaction Manager (KtmRm) component, which has remained unaddressed despite repeated reports since 2020. Microsoft classified the issue as 'Important' but has not issued a security patch, citing low exploitability in default configurations.
MiniPlasma works by corrupting kernel memory through a controlled race, then elevating the security token of the calling process. The researcher demonstrated the exploit on a fully updated Windows 11 23H2 system, achieving a SYSTEM command prompt within seconds.
'This is a textbook case of a vulnerability that should have been fixed years ago,' said Dr. Linda Garcia, a vulnerability analyst at CyberSafe Labs. 'The fact that a working exploit now exists in the wild means every unpatched Windows system is effectively one successful phishing email away from total compromise.'
Background: A Lingering Unpatched Flaw
The vulnerability CVE-2020-24587 was initially disclosed by security researchers Alex Ionescu and Yarden Shafir during the OffensiveCon 2020 conference. Microsoft acknowledged the issue but did not issue a security update, arguing that exploitation required local access and 'significant user interaction.'
Despite multiple 2021 and 2022 requests from the security community, the software giant has repeatedly declined to patch the flaw, instead suggesting mitigations such as enabling Device Guard and Credential Guard. Critics argue those protections are insufficient for most enterprise environments.
In 2023, another researcher released a technical writeup detailing the race condition, which provided the basis for MiniPlasma's automation. The current exploit code is hosted on a public GitHub repository under a modified MIT license, explicitly intended for security research and red-team exercises.
What This Means
The public availability of MiniPlasma represents a significant escalation in risk for organizations running unpatched Windows systems. While the exploit requires initial local access (e.g., through a user-executed binary or via a browser sandbox escape), once achieved, it grants complete control over the system.
'Organizations that have relied on Microsoft's assessment that this vulnerability is low-risk must now reevaluate,' said Daniel Kim, CISO of a Fortune 500 company. 'We are seeing increased scanning activity on our honeypots for signs of MiniPlasma deployment.'
Security vendors have begun updating antivirus signatures to detect the exploit payload. However, the underlying vulnerability remains unpatched, meaning even systems with robust endpoint protection are at risk if an attacker gains initial foothold.
Recommended Mitigations
- Apply Microsoft's suggested hardening: Enable Device Guard, Credential Guard, and Virtualization-Based Security (VBS) to increase the cost of exploitation.
- Monitor for unusual SYSTEM-level processes spawned from low-integrity accounts, or for load of specific driver files like
ktmrm.sys. - Restrict administrative privilege assignment and enforce application whitelisting to reduce the chance of initial access.
- Segment networks to limit lateral movement if a single system is compromised via this exploit.
Microsoft has not issued a statement following the release of MiniPlasma. However, industry experts anticipate an out-of-band security update or a formal mitigation advisory in the coming days.
As the exploit circulates among penetration testers and threat actors alike, the window for proactive defense is closing fast. Security teams are urged to treat this as an active zero-day scenario and take immediate action to reduce their attack surface.