"been made public violating coordinated vulnerability best practices," Microsoft complained after a proof-of-concept for one flaw was published, underscoring a widening rift between a security researcher and Microsoft's response team.
Three zero-days patched in June 2026 Patch Tuesday
Microsoft issued fixes on Patch Tuesday in June 2026 for three zero-day vulnerabilities that, until patched, allowed attackers to escalate privileges or defeat disk encryption on affected Windows systems. The company addressed two local privilege-escalation flaws — GreenPlasma and MiniPlasma — and a separate backdoor-class bug called YellowKey that targets the Windows Recovery Environment (WinRE).
GreenPlasma and MiniPlasma: SYSTEM shells from local access
GreenPlasma (CVE-2026-45586) and MiniPlasma (CVE-2020-17103) were found in two distinct Windows components: the Collaborative Translation Framework (CTFMON) and the Cloud Files Mini Filter Driver. According to the published account, both permit a local attacker to obtain a shell with SYSTEM permissions even on fully patched Windows systems, turning a standard local compromise into full system control.
YellowKey: a WinRE backdoor that can defeat BitLocker
YellowKey (CVE-2026-45585) functions as a backdoor inside the Windows Recovery Environment, the set of tools Windows uses to repair boot-related issues. Because WinRE runs outside the normal OS environment, exploitation of YellowKey by an attacker with physical access to a device could be used to bypass BitLocker protection on unpatched Windows 11 and Windows Server 2022/2025 systems, the advisory says. Microsoft published mitigation measures specifically for YellowKey while rolling the patch into the June updates.
Nightmare Eclipse's public disclosures and the escalation of proof-of-concept releases
All three flaws were disclosed last month by a security researcher using the "Nightmare Eclipse" handle, reportedly in protest over how the Microsoft Security Response Center (MSRC) handles disclosures. The same researcher has released proof-of-concept exploits for other recent zero-days: BlueHammer (CVE-2026-33825) and RedSun (no identifier), two local privilege-escalation bugs now described as actively exploited; UnDefend, which can block Microsoft Defender definition updates when run by an attacker with standard user permissions; and, just this Tuesday, a Microsoft Defender zero-day named "RoguePlanet" that lets threat actors spawn command prompts with SYSTEM privileges.
Microsoft's posture: mitigation, patching, and a public dispute
Microsoft shared mitigations for YellowKey and pushed patches for all three vulnerabilities in its June 2026 Patch Tuesday release. The company also criticized the public publication of a proof-of-concept, saying it "been made public violating coordinated vulnerability best practices." Earlier, Microsoft had reacted to the series of zero-day disclosures with threats of legal action; after "massive blowback on social media," the company backtracked and said it would work with law enforcement when security researchers "breaks the law and engages in malicious activity causing real harm to our customers."
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Apply the June 2026 Patch Tuesday updates promptly and review the YellowKey mitigations Microsoft published. The combination of leaked proof-of-concepts — including exploits that affect Microsoft Defender and those that already appear in active exploitation — increases urgency for patch deployment and monitoring for post-exploit activity.
- Affected enterprises and procurement leaders: Systems running Windows 11 and Windows Server 2022/2025 should be prioritized for the YellowKey fix because of the specific BitLocker bypass risk when attackers have physical access. Enterprises also need to account for local privilege-escalation risks from GreenPlasma and MiniPlasma on otherwise patched endpoints.
- End users and the general public: Ensure devices are updated as part of routine maintenance. The advisory highlights that some attacks require physical access to bypass BitLocker via WinRE; physical security therefore remains a relevant control alongside software patching.
The technical record in this episode is clear: three serious vulnerabilities were patched, multiple proof-of-concept exploits have been released publicly, and Microsoft and the disclosing researcher are at odds over disclosure practices. With at least two of the leaked bugs now described as actively exploited and others affecting Defender and update mechanisms, the immediate test is operational: will rapid patching and the published mitigations blunt exploitation, or will public proof-of-concepts continue to fuel attacks before defenders can fully respond?
