Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days

Microsoft Patch Tuesday Highlights: GreenPlasma, MiniPlasma, and YellowKey Zero-Days

OverviewIn June 2026, Microsoft released patches for three zero-day vulnerabilities that could give attackers SYSTEM privileges on fully patched Windows systems, with a fourth flaw enabling access to BitLocker-protected drives. The discoveries and disclosure were tied to a security researcher using the Nightmare Eclipse handle, who pressed concern over how the Microsoft Security Response Center handles coordinated vulnerability disclosures. The trio of fixes—GreenPlasma, MiniPlasma, and YellowKey—spans local privilege escalation paths and a Windows Recovery Environment backdoor, underscoring ongoing risk from zero-days even in updated systems.

The Privilege-Escalation Flaws: GreenPlasma and MiniPlasma

What they are: Two local privilege escalation (LPE) vulnerabilities discovered in components used by Windows systems. They enable an attacker with local access to escalate privileges to SYSTEM on fully patched Windows installations.
Affected components:
GreenPlasma: Found within the Collaborative Translation Framework (CTFMON).
MiniPlasma: Found within the Cloud Files Mini Filter Driver.
CVEs: GreenPlasma is tracked as CVE-2026-45586 and MiniPlasma as CVE-2020-17103.
Impact: Exploitation could yield a shell with SYSTEM-level permissions, bypassing standard user restrictions on patched machines.
Disclosure and PoCs: The flaws were publicly disclosed alongside accompanying proof-of-concept demonstrations, contributing to rapid public awareness and subsequent remediation by Microsoft.

The BitLocker-Related Zero-Day: YellowKey

What it is: A third zero-day vulnerability, YellowKey, that acts as a backdoor in the Windows Recovery Environment (WinRE).
CVE: CVE-2026-45585.
How it works: When attackers gain physical access to a target device, they can leverage YellowKey to bypass BitLocker on unpatched Windows 11 and Windows Server 2022/2025 systems.
Severity and exposure: The vulnerability directly targets drive-protection mechanisms, placing post-compromise scenarios at heightened risk of unauthorized data access on protected drives.
Mitigation communications: Microsoft outlined defensive measures to defend against potential in-the-wild exploitation of YellowKey, while noting concerns about the public release of the proof-of-concept in relation to coordinated vulnerability disclosure practices.

Patch Tuesday 2026: The Fixes

Resolution timing: All three zero-days—GreenPlasma, MiniPlasma, and YellowKey—were addressed as part of Microsoft’s June 2026 Patch Tuesday updates.
Scope: The June updates closed the immediate exploitation paths for the three zero-days, reducing the practical risk to fully patched Windows deployments.
Broader context: The June cycle continued a pattern of frequent zero-day disclosures tied to independent researchers who publicize PoCs, sometimes triggering a public debate about disclosure processes and legal considerations.

Nightmare Eclipse: Ongoing Activity and PoCs

Beyond the three June 2026 fixes, Nightmare Eclipse has continued to release exploit PoCs for other local privilege escalation flaws, including:
BlueHammer (CVE-2026-33825): A LPE being actively explored and weaponized.
RedSun (no CVE identifier provided in the coverage): Another LPE being observed in attacker operations.
Additional disclosures: The researcher also leaked UnDefend (a zero-day tool targeting Defender) and a Defender exploit named RoguePlanet capable of spawning SYSTEM-privileged command prompts.
Observations: These disclosures illustrate a broader pattern where zero-days and PoCs surface on public channels, contributing to rapid patching but also elevating the danger window for unpatched systems or misconfigurations.

Microsoft’s Response and Public Commentary

Initial stance: Microsoft publicly signaled willingness to pursue legal action in response to disclosure of these vulnerabilities, framing it as a risk to customer security.
Follow-up: After substantial pushback on social media and among security communities, Microsoft indicated it would engage law enforcement when researchers “breaks the law and engages in malicious activity causing real harm to our customers.”
Practical takeaway: The situation underscores a tension between transparency in vulnerability disclosures and enterprise risk management, emphasizing the importance of timely patches and robust defensive testing.

Defensive Posture and Detection Considerations

Detection gaps: Industry studies cited in related materials indicate a persistent gap between breaches and security alerts, with many breaches going undetected in complex environments.
Breach testing and visibility: Whitepapers and breach-simulation work highlight the value of testing SIEM and EDR rules to ensure that detection capabilities keep pace with evolving techniques.
Defensive read-across: The ongoing stream of zero-days, PoCs, and public disclosures suggests that organizations should maintain a disciplined vulnerability management process, ensure timely patching, and validate defenses across the endpoint, credential, and recovery environments.

Timeline at a Glance

Prior disclosures: Nightmare Eclipse introduced a sequence of zero-day disclosures over several months, including PoCs for multiple LPE flaws and Defender-related exploits.
June 2026 patch release: Microsoft released fixes for GreenPlasma, MiniPlasma, and YellowKey as part of the June Patch Tuesday cycle.
Ongoing activity: Additional PoCs and exploit disclosures continued in the public space, reinforcing the need for continuous monitoring and rapid response capabilities.

Closing Notes

The June 2026 updates demonstrate the persistent risk posed by zero-days and the importance of rapid patch deployment, even for fully updated Windows environments.
The dynamic disclosure landscape, including the involvement of independent researchers and the responses of major software vendors, continues to shape how organizations prepare for and respond to emerging threats.
As threat actors refine local privilege escalation techniques and WinRE-related bypasses, defenders are challenged to maintain robust detection, validation, and recovery capabilities that span endpoint, identity, and storage layers.

Microsoft Patch Tuesday Highlights: GreenPlasma, MiniPlasma, and YellowKey Zero-Days

The Privilege-Escalation Flaws: GreenPlasma and MiniPlasma

What they are: Two local privilege escalation (LPE) vulnerabilities discovered in components used by Windows systems. They enable an attacker with local access to escalate privileges to SYSTEM on fully patched Windows installations.
Affected components:
GreenPlasma: Found within the Collaborative Translation Framework (CTFMON).
MiniPlasma: Found within the Cloud Files Mini Filter Driver.
CVEs: GreenPlasma is tracked as CVE-2026-45586 and MiniPlasma as CVE-2020-17103.
Impact: Exploitation could yield a shell with SYSTEM-level permissions, bypassing standard user restrictions on patched machines.
Disclosure and PoCs: The flaws were publicly disclosed alongside accompanying proof-of-concept demonstrations, contributing to rapid public awareness and subsequent remediation by Microsoft.

The BitLocker-Related Zero-Day: YellowKey

What it is: A third zero-day vulnerability, YellowKey, that acts as a backdoor in the Windows Recovery Environment (WinRE).
CVE: CVE-2026-45585.
How it works: When attackers gain physical access to a target device, they can leverage YellowKey to bypass BitLocker on unpatched Windows 11 and Windows Server 2022/2025 systems.
Severity and exposure: The vulnerability directly targets drive-protection mechanisms, placing post-compromise scenarios at heightened risk of unauthorized data access on protected drives.
Mitigation communications: Microsoft outlined defensive measures to defend against potential in-the-wild exploitation of YellowKey, while noting concerns about the public release of the proof-of-concept in relation to coordinated vulnerability disclosure practices.

Patch Tuesday 2026: The Fixes

Resolution timing: All three zero-days—GreenPlasma, MiniPlasma, and YellowKey—were addressed as part of Microsoft’s June 2026 Patch Tuesday updates.
Scope: The June updates closed the immediate exploitation paths for the three zero-days, reducing the practical risk to fully patched Windows deployments.
Broader context: The June cycle continued a pattern of frequent zero-day disclosures tied to independent researchers who publicize PoCs, sometimes triggering a public debate about disclosure processes and legal considerations.

Nightmare Eclipse: Ongoing Activity and PoCs

Beyond the three June 2026 fixes, Nightmare Eclipse has continued to release exploit PoCs for other local privilege escalation flaws, including:
BlueHammer (CVE-2026-33825): A LPE being actively explored and weaponized.
RedSun (no CVE identifier provided in the coverage): Another LPE being observed in attacker operations.
Additional disclosures: The researcher also leaked UnDefend (a zero-day tool targeting Defender) and a Defender exploit named RoguePlanet capable of spawning SYSTEM-privileged command prompts.
Observations: These disclosures illustrate a broader pattern where zero-days and PoCs surface on public channels, contributing to rapid patching but also elevating the danger window for unpatched systems or misconfigurations.

Microsoft’s Response and Public Commentary

Initial stance: Microsoft publicly signaled willingness to pursue legal action in response to disclosure of these vulnerabilities, framing it as a risk to customer security.
Follow-up: After substantial pushback on social media and among security communities, Microsoft indicated it would engage law enforcement when researchers “breaks the law and engages in malicious activity causing real harm to our customers.”
Practical takeaway: The situation underscores a tension between transparency in vulnerability disclosures and enterprise risk management, emphasizing the importance of timely patches and robust defensive testing.

Defensive Posture and Detection Considerations

Detection gaps: Industry studies cited in related materials indicate a persistent gap between breaches and security alerts, with many breaches going undetected in complex environments.
Breach testing and visibility: Whitepapers and breach-simulation work highlight the value of testing SIEM and EDR rules to ensure that detection capabilities keep pace with evolving techniques.
Defensive read-across: The ongoing stream of zero-days, PoCs, and public disclosures suggests that organizations should maintain a disciplined vulnerability management process, ensure timely patching, and validate defenses across the endpoint, credential, and recovery environments.

Timeline at a Glance

Prior disclosures: Nightmare Eclipse introduced a sequence of zero-day disclosures over several months, including PoCs for multiple LPE flaws and Defender-related exploits.
June 2026 patch release: Microsoft released fixes for GreenPlasma, MiniPlasma, and YellowKey as part of the June Patch Tuesday cycle.
Ongoing activity: Additional PoCs and exploit disclosures continued in the public space, reinforcing the need for continuous monitoring and rapid response capabilities.

Closing Notes

The June 2026 updates demonstrate the persistent risk posed by zero-days and the importance of rapid patch deployment, even for fully updated Windows environments.
The dynamic disclosure landscape, including the involvement of independent researchers and the responses of major software vendors, continues to shape how organizations prepare for and respond to emerging threats.
As threat actors refine local privilege escalation techniques and WinRE-related bypasses, defenders are challenged to maintain robust detection, validation, and recovery capabilities that span endpoint, identity, and storage layers.

Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days

Related Posts

Microsoft patches Exchange Server zero-day exploited in attacks

The 5 Best Practices for Secure Identity Verification

China-Linked JDY Botnet Expands Targeting of U.S. Military Networks

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated

Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days

Related Posts

Microsoft patches Exchange Server zero-day exploited in attacks

The 5 Best Practices for Secure Identity Verification

China-Linked JDY Botnet Expands Targeting of U.S. Military Networks

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated