CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 20, 2026

Windows Zero-Day Barrage Continues After Patch Tuesday

Dark Reading Archived May 20, 2026 ✓ Full text saved

YellowKey, GreenPlasma, and MiniPlasma add to the growing list of vulnerabilities a security researcher disclosed over the past six weeks.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Windows Zero-Day Barrage Continues After Patch Tuesday YellowKey, GreenPlasma, and MiniPlasma add to the growing list of vulnerabilities a security researcher disclosed over the past six weeks. Jai Vijayan,Contributing Writer May 19, 2026 6 Min Read SOURCE: JLSTOCK VIA SHUTTERSTOCK A security researcher with an apparent grudge against Microsoft has in recent days disclosed two more Windows zero-days and released a proof-of-concept exploit against a third vulnerability that Microsoft supposedly patched in 2020. That makes six flaws researcher "Nightmare Eclipse" has disclosed over the past six weeks, some of which attackers are already actively exploiting, and one that the Cybersecurity and Infrastructure Security Agency (CISA) has included in its catalog of known exploited vulnerabilities (KEV). Six Vulnerabilities in Six Weeks Nightmare Eclipse disclosed the three new vulnerabilities in the days following Microsoft's May 2026 security update a week ago. The vulnerabilities are tracked as YellowKey, GreenPlasma, and MiniPlasma. YellowKey, as researchers at LevelBlue described it, "can enable any attacker with physical access and a USB device to take down BitLocker's encryption and gain unfettered access to encrypted laptops in no time." All the attacker has to do is insert a weaponized USB into BitLocker encryption-enabled target machines and wait for or force a reboot into the Windows Recovery Environment (WinRE) and enter a specific key combination to trigger the exploit. An attacker needs no credentials, PIN, or TPM bypass to completely negate BitLocker encryption protection for physically accessible devices, according to LevelBlue. Related:Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive GreenPlasma meanwhile is a vulnerability that affects Windows 10, Windows 11, and Windows Server. It exploits a Windows component for managing text input services to allow attackers to escalate privileges to SYSTEM on vulnerable devices, according to LevelBlue. However, Nightmare Eclipse's PoC stops short of the final SYSTEM stage for the moment at least, meaning an attacker would need to have an understanding of Windows internals to fully exploit it, the security vendor said. If successfully exploited, the vulnerability enables credential harvesting, lateral movement, persistence, and security bypass on fully patched Windows systems, according to LevelBlue. "YellowKey requires physical access in order to be properly exploited. GreenPlasma is a Local Privilege Escalation, however, we often see these exploited in conjunction with a social engineering attack," says Karl Sigler, security research manager, SpiderLabs Threat Intelligence, at LevelBlue. "A typical scenario would be a threat actor convincing a target user to install Remote Monitoring and Management (RMM) software. They can then use this remote access to trigger the exploit and elevate their access from the generic user to SYSTEM," he says in comments to Dark Reading. Related:Congress Puts Heat on Instructure After Canvas Outage Unpatched Flaw From Six Years Ago? MiniPlasma, meanwhile, is an exploit for CVE-2020-17103, an elevation-of-privilege vulnerability in Windows Cloud Files Mini Filter Driver that researchers at Google's Project Zero reported to Microsoft back in 2020. Though Microsoft issued a patch for the flaw at the time, Google's original proof-of-concept exploit against the vulnerability still works without any changes. Nightmare Eclipse claims to have weaponized the PoC to develop an exploit for CVE-2020-17103, allowing attackers to gain complete control of a vulnerable system. The other three flaws that Nightmare Eclipse released during the past six weeks are BlueHammer and RedSun, which essentially allow attackers to turn Microsoft Defender into an attack tool against users, as well as UnDefend, a vulnerability that let attackers slowly degrade Microsoft Defender's ability to detect and protect against new threats. Microsoft has so far officially assigned a CVE and released a patch only for BlueHammer (CVE-2026-33825), which is in CISA's KEV. According to Nightmare Eclipse, Microsoft appears to have quietly addressed another of the disclosed vulnerabilities, RedSun, without any CVE or public advisory, despite signs suggesting exploit activity. The other vulnerabilities remain unpatched, Related:Cyber Pioneers Ponder Past as Prologue In response to a Dark Reading request on the latest disclosures from Nightmare Eclipse, a Microsoft spokeswoman said the company is aware of the "purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services." Microsoft is committed to investigating reported security issues and updating impacted products to protect customers as soon as possible, the company's statement read. "Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public."  Nightmare Eclipse's disclosures reveal significant weaknesses — some of them unfixable — in components that are supposed to be the foundation of Windows security, says Christine Barry, senior chief cybersecurity storyteller at Barracuda. "Three exploits target privilege escalation, one disables Defender's ability to detect threats, another bypasses BitLocker drive encryption, and one exposes a vulnerability that was said to be patched in 2020 but remains exploitable on fully updated Windows 11 systems today," Barry says. When used together, these vulnerabilities present attackers with an operational attack chain. The exploits show that assumptions about Defender, Bitlocker, and Microsoft security patches can all be challenged, she added. Microsoft's Disclosure Model Raises the Stakes "Microsoft is dealing with an uncontrollable disclosure model and an extortion actor that isn't making demands," Barry says. "Traditional coordinated vulnerability disclosure gives vendors a window to patch before exploits go public. Nightmare Eclipse has rejected that model entirely — timing releases immediately after Patch Tuesday to maximize the gap before the next patch cycle." The exploitability of the disclosed vulnerabilities varies widely, says Kieran Human, lead cybersecurity engineer at ThreatLocker. "MiniPlasma is relatively easy to exploit and is probably the most immediately concerning," he says. Others are much more limited, he points out. YellowKey requires physical access, which reduces the risk outside of insider scenarios. GreenPlasma is incomplete in its current form, since the published proof-of-concept still triggers a consent prompt and would require additional development to be useful. The biggest takeaway from Nightmare Eclipse's vulnerability disclosures is that organizations can't build security strategies around the assumption that patching alone will keep systems secure, Human says. Researchers will keep discovering new vulnerabilities and organizations will need to come to grips with that reality and respond accordingly. "That means implementing deny-by-default defenses such as allowlisting, application containment, and similar controls that block the execution of unrecognized code and restrict privileges," Human says. "In many cases, those controls can stop exploit execution entirely. In others, they help contain the impact and limit lateral movement. [Endpoint detection and response] should be viewed as a last line of defense for when preventative strategies have failed." LevelBlue's Siegler perceives Microsoft's response so far as understandable given the circumstances. "They need to ensure a patch can be developed that won't interfere with existing software while also verifying it fully resolves the vulnerability," he says. "Sometimes, zero-days like this are simply the tip of the iceberg when you dig deeper. And releasing a partial patch looks worse than making sure you've minded all of the p's and q's." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a veteran technology journalist with more than 25 years of experience covering cybersecurity.  His reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as Senior Editor at Computerworld where he covered information security and data privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Mointor Passcode, The Economic Times and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in Statistics. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 20, 2026
    Archived
    May 20, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗