A security researcher with an apparent grudge against Microsoft has in recent days disclosed two more Windows zero-days and released a proof-of-concept exploit against a third vulnerability that Microsoft supposedly patched in 2020.
That makes six flaws researcher "Nightmare Eclipse" has disclosed over the past six weeks, some of which attackers are already actively exploiting, and one that the Cybersecurity and Infrastructure Security Agency (CISA) has included in its catalog of known exploited vulnerabilities (KEV).
Nightmare Eclipse disclosed the three new vulnerabilities in the days following Microsoft's May 2026 security update a week ago. The vulnerabilities are tracked as YellowKey, GreenPlasma, and MiniPlasma.
YellowKey, as researchers at LevelBlue described it, "can enable any attacker with physical access and a USB device to take down BitLocker's encryption and gain unfettered access to encrypted laptops in no time." All the attacker has to do is insert a weaponized USB into BitLocker encryption-enabled target machines and wait for or force a reboot into the Windows Recovery Environment (WinRE) and enter a specific key combination to trigger the exploit. An attacker needs no credentials, PIN, or TPM bypass to completely negate BitLocker encryption protection for physically accessible devices, according to LevelBlue.
GreenPlasma meanwhile is a vulnerability that affects Windows 10, Windows 11, and Windows Server. It exploits a Windows component for managing text input services to allow attackers to escalate privileges to SYSTEM on vulnerable devices, according to LevelBlue. However, Nightmare Eclipse's PoC stops short of the final SYSTEM stage for the moment at least, meaning an attacker would need to have an understanding of Windows internals to fully exploit it, the security vendor said. If successfully exploited, the vulnerability enables credential harvesting, lateral movement, persistence, and security bypass on fully patched Windows systems, according to LevelBlue.
YellowKey requires physical access in order to be properly exploited. GreenPlasma is a Local Privilege Escalation, however, we often see these exploited in conjunction with a social engineering attack," says Karl Sigler, security research manager, SpiderLabs Threat Intelligence, at LevelBlue. "A typical scenario would be a threat actor convincing a target user to install Remote Monitoring and Management (RMM) software. They can then use this remote access to trigger the exploit and elevate their access from the generic user to SYSTEM," he says in comments to Dark Reading.
MiniPlasma, meanwhile, is an exploit for CVE-2020-17103, an elevation-of-privilege vulnerability in Windows Cloud Files Mini Filter Driver that researchers at Google's Project Zero reported to Microsoft back in 2020. Though Microsoft issued a patch for the flaw at the time, Google's original proof-of-concept exploit against the vulnerability still works without any changes. Nightmare Eclipse claims to have weaponized the PoC to develop an exploit for CVE-2020-17103, allowing attackers to gain complete control of a vulnerable system.
The other three flaws that Nightmare Eclipse released during the past six weeks are BlueHammer and RedSun, which essentially allow attackers to turn Microsoft Defender into an attack tool against users, as well as UnDefend, a vulnerability that let attackers slowly degrade Microsoft Defender's ability to detect and protect against new threats.
Microsoft has so far officially assigned a CVE and released a patch only for BlueHammer (CVE-2026-33825), which is in CISA's KEV. According to Nightmare Eclipse, Microsoft appears to have quietly addressed another of the disclosed vulnerabilities, RedSun, without any CVE or public advisory, despite signs suggesting exploit activity. The other vulnerabilities remain unpatched,
Related:Congress Puts Heat on Instructure After Canvas Outage
In response to a Dark Reading request on the latest disclosures from Nightmare Eclipse, a Microsoft spokeswoman said the company is aware of the "purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services."
Microsoft is committed to investigating reported security issues and updating impacted products to protect customers as soon as possible, the company's statement read. "Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public."
Nightmare Eclipse's disclosures reveal significant weaknesses — some of them unfixable — in components that are supposed to be the foundation of Windows security, says Christine Barry, senior chief cybersecurity storyteller at Barracuda. "Three exploits target privilege escalation, one disables Defender's ability to detect threats, another bypasses BitLocker drive encryption, and one exposes a vulnerability that was said to be patched in 2020 but remains exploitable on fully updated Windows 11 systems today," Barry says. When used together, these vulnerabilities present attackers with an operational attack chain. The exploits show that assumptions about Defender, Bitlocker, and Microsoft security patches can all be challenged, she added.
"Microsoft is dealing with an uncontrollable disclosure model and an extortion actor that isn't making demands," Barry says. "Traditional coordinated vulnerability disclosure gives vendors a window to patch before exploits go public. Nightmare Eclipse has rejected that model entirely — timing releases immediately after Patch Tuesday to maximize the gap before the next patch cycle."
The exploitability of the disclosed vulnerabilities varies widely, says Kieran Human, lead cybersecurity engineer at ThreatLocker. "MiniPlasma is relatively easy to exploit and is probably the most immediately concerning," he says. Others are much more limited, he points out. YellowKey requires physical access, which reduces the risk outside of insider scenarios. GreenPlasma is incomplete in its current form, since the published proof-of-concept still triggers a consent prompt and would require additional development to be useful.
The biggest takeaway from Nightmare Eclipse's vulnerability disclosures is that organizations can't build security strategies around the assumption that patching alone will keep systems secure, Human says. Researchers will keep discovering new vulnerabilities and organizations will need to come to grips with that reality and respond accordingly. "That means implementing deny-by-default defenses such as allowlisting, application containment, and similar controls that block the execution of unrecognized code and restrict privileges," Human says. "In many cases, those controls can stop exploit execution entirely. In others, they help contain the impact and limit lateral movement. [Endpoint detection and response] should be viewed as a last line of defense for when preventative strategies have failed."
LevelBlue's Siegler perceives Microsoft's response so far as understandable given the circumstances. "They need to ensure a patch can be developed that won't interfere with existing software while also verifying it fully resolves the vulnerability," he says. "Sometimes, zero-days like this are simply the tip of the iceberg when you dig deeper. And releasing a partial patch looks worse than making sure you've minded all of the p's and q's."
Powered by
