Microsoft Fixes Critical Zero-Days Allowing SYSTEM Privileges and BitLocker Bypass

Summary

In a recent security update, Microsoft addressed three critical zero-day vulnerabilities that had been publicly disclosed by a security researcher known as Nightmare Eclipse. These vulnerabilities-GreenPlasma (CVE-2026-45586), MiniPlasma (CVE-2020-17103), and YellowKey (CVE-2026-45585)-could allow attackers to escalate privileges or bypass BitLocker encryption on Windows systems. The disclosure came amid ongoing tensions between Microsoft and the researcher over vulnerability handling practices, highlighting the importance of timely patching and robust security measures.

What Happened

Microsoft's June 2026 Patch Tuesday included fixes for three zero-day vulnerabilities that had been publicly disclosed by a security researcher using the handle "Nightmare Eclipse." These vulnerabilities were GreenPlasma, MiniPlasma, and YellowKey. The first two allow local attackers to gain SYSTEM privileges on fully patched Windows systems through flaws in the Collaborative Translation Framework (CTFMON) and the Cloud Files Mini Filter Driver. The third vulnerability, YellowKey, acts as a backdoor in the Windows Recovery Environment (WinRE), enabling attackers with physical access to bypass BitLocker protection on unpatched Windows 11 and Server 2022/2025 systems.

Technical Details

The GreenPlasma and MiniPlasma vulnerabilities were identified in components that handle system-level operations. Specifically, GreenPlasma affects the Collaborative Translation Framework (CTFMON), while MiniPlasma targets the Cloud Files Mini Filter Driver. Both flaws allow local attackers to execute code with SYSTEM privileges on affected systems. YellowKey, on the other hand, provides a method for bypassing BitLocker encryption by exploiting the Windows Recovery Environment (WinRE). This vulnerability is particularly concerning because it can be exploited by anyone with physical access to the device.

Exploitation Status

All three vulnerabilities-GreenPlasma, MiniPlasma, and YellowKey-are now actively being addressed by Microsoft through their latest security updates. The disclosure of these zero-days has raised awareness about potential exploitation in the wild. Nightmare Eclipse's actions have underscored the importance of coordinated vulnerability disclosure practices to prevent malicious actors from exploiting such flaws before patches are available.

Defender Guidance

Defenders should prioritize applying the latest Windows updates to mitigate the risks associated with GreenPlasma, MiniPlasma, and YellowKey vulnerabilities. Additionally, organizations should review their physical security measures to protect against potential exploitation of the YellowKey vulnerability. Implementing multi-factor authentication and monitoring for unusual system behavior can further enhance defenses against privilege escalation attacks.

What Remains Unclear

While Microsoft has provided patches for these vulnerabilities, it remains unclear how widely they have been exploited in the wild prior to their disclosure. Additionally, the full extent of Nightmare Eclipse's disclosures and any potential future leaks are uncertain, posing ongoing risks for organizations relying on timely vulnerability information from official channels.