Windows Zero-Day Barrage Continues After Patch Tuesday
Dark ReadingArchived May 20, 2026✓ Full text saved
YellowKey, GreenPlasma, and MiniPlasma add to the growing list of vulnerabilities a security researcher disclosed over the past six weeks.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
THREAT INTELLIGENCE
VULNERABILITIES & THREATS
NEWS
Windows Zero-Day Barrage Continues After Patch Tuesday
YellowKey, GreenPlasma, and MiniPlasma add to the growing list of vulnerabilities a security researcher disclosed over the past six weeks.
Jai Vijayan,Contributing Writer
May 19, 2026
6 Min Read
SOURCE: JLSTOCK VIA SHUTTERSTOCK
A security researcher with an apparent grudge against Microsoft has in recent days disclosed two more Windows zero-days and released a proof-of-concept exploit against a third vulnerability that Microsoft supposedly patched in 2020.
That makes six flaws researcher "Nightmare Eclipse" has disclosed over the past six weeks, some of which attackers are already actively exploiting, and one that the Cybersecurity and Infrastructure Security Agency (CISA) has included in its catalog of known exploited vulnerabilities (KEV).
Six Vulnerabilities in Six Weeks
Nightmare Eclipse disclosed the three new vulnerabilities in the days following Microsoft's May 2026 security update a week ago. The vulnerabilities are tracked as YellowKey, GreenPlasma, and MiniPlasma.
YellowKey, as researchers at LevelBlue described it, "can enable any attacker with physical access and a USB device to take down BitLocker's encryption and gain unfettered access to encrypted laptops in no time." All the attacker has to do is insert a weaponized USB into BitLocker encryption-enabled target machines and wait for or force a reboot into the Windows Recovery Environment (WinRE) and enter a specific key combination to trigger the exploit. An attacker needs no credentials, PIN, or TPM bypass to completely negate BitLocker encryption protection for physically accessible devices, according to LevelBlue.
Related:Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive
GreenPlasma meanwhile is a vulnerability that affects Windows 10, Windows 11, and Windows Server. It exploits a Windows component for managing text input services to allow attackers to escalate privileges to SYSTEM on vulnerable devices, according to LevelBlue. However, Nightmare Eclipse's PoC stops short of the final SYSTEM stage for the moment at least, meaning an attacker would need to have an understanding of Windows internals to fully exploit it, the security vendor said. If successfully exploited, the vulnerability enables credential harvesting, lateral movement, persistence, and security bypass on fully patched Windows systems, according to LevelBlue.
"YellowKey requires physical access in order to be properly exploited. GreenPlasma is a Local Privilege Escalation, however, we often see these exploited in conjunction with a social engineering attack," says Karl Sigler, security research manager, SpiderLabs Threat Intelligence, at LevelBlue. "A typical scenario would be a threat actor convincing a target user to install Remote Monitoring and Management (RMM) software. They can then use this remote access to trigger the exploit and elevate their access from the generic user to SYSTEM," he says in comments to Dark Reading.
Related:Congress Puts Heat on Instructure After Canvas Outage
Unpatched Flaw From Six Years Ago?
MiniPlasma, meanwhile, is an exploit for CVE-2020-17103, an elevation-of-privilege vulnerability in Windows Cloud Files Mini Filter Driver that researchers at Google's Project Zero reported to Microsoft back in 2020. Though Microsoft issued a patch for the flaw at the time, Google's original proof-of-concept exploit against the vulnerability still works without any changes. Nightmare Eclipse claims to have weaponized the PoC to develop an exploit for CVE-2020-17103, allowing attackers to gain complete control of a vulnerable system.
The other three flaws that Nightmare Eclipse released during the past six weeks are BlueHammer and RedSun, which essentially allow attackers to turn Microsoft Defender into an attack tool against users, as well as UnDefend, a vulnerability that let attackers slowly degrade Microsoft Defender's ability to detect and protect against new threats.
Microsoft has so far officially assigned a CVE and released a patch only for BlueHammer (CVE-2026-33825), which is in CISA's KEV. According to Nightmare Eclipse, Microsoft appears to have quietly addressed another of the disclosed vulnerabilities, RedSun, without any CVE or public advisory, despite signs suggesting exploit activity. The other vulnerabilities remain unpatched,
Related:Cyber Pioneers Ponder Past as Prologue
In response to a Dark Reading request on the latest disclosures from Nightmare Eclipse, a Microsoft spokeswoman said the company is aware of the "purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services."
Microsoft is committed to investigating reported security issues and updating impacted products to protect customers as soon as possible, the company's statement read. "Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public."
Nightmare Eclipse's disclosures reveal significant weaknesses — some of them unfixable — in components that are supposed to be the foundation of Windows security, says Christine Barry, senior chief cybersecurity storyteller at Barracuda. "Three exploits target privilege escalation, one disables Defender's ability to detect threats, another bypasses BitLocker drive encryption, and one exposes a vulnerability that was said to be patched in 2020 but remains exploitable on fully updated Windows 11 systems today," Barry says. When used together, these vulnerabilities present attackers with an operational attack chain. The exploits show that assumptions about Defender, Bitlocker, and Microsoft security patches can all be challenged, she added.
Microsoft's Disclosure Model Raises the Stakes
"Microsoft is dealing with an uncontrollable disclosure model and an extortion actor that isn't making demands," Barry says. "Traditional coordinated vulnerability disclosure gives vendors a window to patch before exploits go public. Nightmare Eclipse has rejected that model entirely — timing releases immediately after Patch Tuesday to maximize the gap before the next patch cycle."
The exploitability of the disclosed vulnerabilities varies widely, says Kieran Human, lead cybersecurity engineer at ThreatLocker. "MiniPlasma is relatively easy to exploit and is probably the most immediately concerning," he says. Others are much more limited, he points out. YellowKey requires physical access, which reduces the risk outside of insider scenarios. GreenPlasma is incomplete in its current form, since the published proof-of-concept still triggers a consent prompt and would require additional development to be useful.
The biggest takeaway from Nightmare Eclipse's vulnerability disclosures is that organizations can't build security strategies around the assumption that patching alone will keep systems secure, Human says. Researchers will keep discovering new vulnerabilities and organizations will need to come to grips with that reality and respond accordingly. "That means implementing deny-by-default defenses such as allowlisting, application containment, and similar controls that block the execution of unrecognized code and restrict privileges," Human says. "In many cases, those controls can stop exploit execution entirely. In others, they help contain the impact and limit lateral movement. [Endpoint detection and response] should be viewed as a last line of defense for when preventative strategies have failed."
LevelBlue's Siegler perceives Microsoft's response so far as understandable given the circumstances. "They need to ensure a patch can be developed that won't interfere with existing software while also verifying it fully resolves the vulnerability," he says. "Sometimes, zero-days like this are simply the tip of the iceberg when you dig deeper. And releasing a partial patch looks worse than making sure you've minded all of the p's and q's."
About the Author
Jai Vijayan
Contributing Writer
Jai Vijayan is a veteran technology journalist with more than 25 years of experience covering cybersecurity. His reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as Senior Editor at Computerworld where he covered information security and data privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Mointor Passcode, The Economic Times and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in Statistics.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management
Access More Research
Webinars
AI-Powered Cybersecurity for Resource-Constrained Organizations
AI-Powered Credential Security: Intelligence Without Exposure
How Security Teams should apply Threat Intelligence into their Defenses
Your Guide to Securing AI Adoption in Your Organization
What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
THREAT INTELLIGENCE
From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber
byDark Reading Editorial Team
MAY 6, 2026
31 MIN READ
CYBER RISK
Physical Cargo Theft Gets a Boost From Cybercriminals
byRobert Lemos
MAY 4, 2026
5 MIN READ
CYBER RISK
NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
byDark Reading Editorial Team
APR 28, 2026
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
LOADING...
RSAC 2026: key news & insights
At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more
Get Your Recap
Webinars
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
How Security Teams should apply Threat Intelligence into their Defenses
THURS, JUNE 11, 2026 AT 1PM EST
Your Guide to Securing AI Adoption in Your Organization
TUES, JUNE 9, 2026 AT 1PM EST
What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?
WED, JUNE 3, 2026 AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS