GoKawiilOn Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives.
All three security flaws were disclosed last month by a security researcher using the "Nightmare Eclipse" handle in protest over how the Microsoft Security Response Center (MSRC) handles the disclosure process.
Dubbed "GreenPlasma" and "MiniPlasma," the two privilege escalation vulnerabilities (tracked as CVE-2026-45586 and CVE-2020-17103) were found in the Collaborative Translation Framework (CTFMON) and the Cloud Files Mini Filter Driver, and they allow local attackers to obtain a shell with SYSTEM permissions on fully patched Windows systems.
The third zero-day patched yesterday is known as YellowKey (tracked as CVE-2026-45585) and acts as a backdoor in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
Attackers with physical access to the targeted devices can use a YellowKey exploit to bypass BitLocker protection on unpatched Windows 11 and Windows Server 2022/2025 systems.
Microsoft shared mitigation measures for YellowKey to defend against potential attacks that exploit it in the wild, while also complaining that the proof-of-concept had "been made public violating coordinated vulnerability best practices."
On Tuesday, Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey security vulnerabilities as part of its June 2026 Patch Tuesday updates.
Over the past several months, Nightmare Eclipse has released proof-of-concept exploits for BlueHammer (CVE-2026-33825) and RedSun (no identifier), two local privilege escalation (LPE) zero-days which are now actively exploited in attacks. The researcher also leaked UnDefend, a zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates.
More recently, within hours of Microsoft releasing this month's security patches, Nightmare Eclipse disclosed yet another Defender zero-day exploit named "RoguePlanet" that lets threat actors spawn command prompts with SYSTEM privileges.
Microsoft initially reacted to these zero-day leaks with threats of legal action, but backtracked following massive blowback on social media and said that it would work with law enforcement when security researchers "breaks the law and engages in malicious activity causing real harm to our customers."