On Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives.
All three security flaws were disclosed last month by a security researcher using the “Nightmare Eclipse” handle in protest over how the Microsoft Security Response Center (MSRC) handles the disclosure process.
Dubbed “GreenPlasma” and “MiniPlasma,” the two privilege escalation vulnerabilities (tracked as CVE-2026-45586 and CVE-2020-17103) were found in the Collaborative Translation Framework (CTFMON) and the Cloud Files Mini Filter Driver, and they allow local attackers to obtain a shell with SYSTEM permissions on fully patched Windows systems.
The third zero-day patched yesterday is known as YellowKey (tracked as CVE-2026-45585) and acts as a backdoor in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
Attackers with physical access to the targeted devices can use a YellowKey exploit to bypass BitLocker protection on unpatched Windows 11 and Windows Server 2022/2025 systems.
Microsoft shared mitigation measures for YellowKey to defend against potential attacks that exploit it in the wild, while also complaining that the proof-of-concept had “been made public violating coordinated vulnerability best practices.”
On Tuesday, Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey security vulnerabilities as part of its June 2026 Patch Tuesday updates.
Over the past several months, Nightmare Eclipse has also released proof-of-concept exploits for BlueHammer (CVE-2026-33825) and RedSun (no identifier), two local privilege escalation (LPE) zero-days which are now actively exploited in attacks.
More recently, the researcher also leaked UnDefend, another zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates, and this Tuesday, a Microsoft Defender zero-day exploit named “RoguePlanet” that lets threat actors spawn command prompts with SYSTEM privileges.
Microsoft initially reacted to these zero-day leaks with threats of legal action, but backtracked following massive blowback on social media and said that it would work with law enforcement when security researchers “breaks the law and engages in malicious activity causing real harm to our customers.”
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
