TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Windows Zero-Day Barrage Continues After Patch Tuesday YellowKey, GreenPlasma, and MiniPlasma add to the growing list of vulnerabilities a security researcher disclosed over the past six weeks. Jai Vijayan,Contributing Writer May 19, 2026 6 Min Read SOURCE: JLSTOCK VIA SHUTTERSTOCK A security researcher with an apparent grudge against Microsoft has in recent days disclosed two more Windows zero-days and released a proof-of-concept exploit against a third vulnerability that Microsoft supposedly patched in 2020. That makes six flaws researcher "Nightmare Eclipse" has disclosed over the past six weeks, some of which attackers are already actively exploiting, and one that the Cybersecurity and Infrastructure Security Agency (CISA) has included in its catalog of known exploited vulnerabilities (KEV). Six Vulnerabilities in Six Weeks Nightmare Eclipse disclosed the three new vulnerabilities in the days following Microsoft's May 2026 security update a week ago. The vulnerabilities are tracked as YellowKey, GreenPlasma, and MiniPlasma. YellowKey, as researchers at LevelBlue described it, "can enable any attacker with physical access and a USB device to take down BitLocker's encryption and gain unfettered access to encrypted laptops in no time." All the attacker has to do is insert a weaponized USB into BitLocker encryption-enabled target machines and wait for or force a reboot into the Windows Recovery Environment (WinRE) and enter a specific key combination to trigger the exploit. An attacker needs no credentials, PIN, or TPM bypass to completely negate BitLocker encryption protection for physically accessible devices, according to LevelBlue. Related:Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive GreenPlasma meanwhile is a vulnerability that affects Windows 10, Windows 11, and Windows Server. It exploits a Windows component for managing text input services to allow attackers to escalate privileges to SYSTEM on vulnerable devices, according to LevelBlue. However, Nightmare Eclipse's PoC stops short of the final SYSTEM stage for the moment at least, meaning an attacker would need to have an understanding of Windows internals to fully exploit it, the security vendor said. If successfully exploited, the vulnerability enables credential harvesting, lateral movement, persistence, and security bypass on fully patched Windows systems, according to LevelBlue. LOADING... "YellowKey requires physical access in order to be properly exploited. GreenPlasma is a Local Privilege Escalation, however, we often see these exploited in conjunction with a social engineering attack," says Karl Sigler, security research manager, SpiderLabs Threat Intelligence, at LevelBlue. "A typical scenario would be a threat actor convincing a target user to install Remote Monitoring and Management (RMM) software. They can then use this remote access to trigger the exploit and elevate their access from the generic user to SYSTEM," he says in comments to Dark Reading. Related:Congress Puts Heat on Instructure After Canvas Outage Unpatched Flaw From Six Years Ago? MiniPlasma, meanwhile, is an exploit for CVE-2020-17103, an elevation-of-privilege vulnerability in Windows Cloud Files Mini Filter Driver that researchers at Google's Project Zero reported to Microsoft back in 2020. Though Microsoft issued a patch for the flaw at the time, Google's original proof-of-concept exploit against the vulnerability still works without any changes. Nightmare Eclipse claims to have weaponized the PoC to develop an exploit for CVE-2020-17103, allowing attackers to gain complete control of a vulnerable system. The other three flaws that Nightmare Eclipse released during the past six weeks are BlueHammer and RedSun, which essentially allow attackers to turn Microsoft Defender into an attack tool against users, as well as UnDefend, a vulnerability that let attackers slowly degrade Microsoft Defender's ability to detect and protect against new threats. Microsoft has so far officially assigned a CVE and released a patch only for BlueHammer (CVE-2026-33825), which is in CISA's KEV. According to Nightmare Eclipse, Microsoft appears to have quietly addressed another of the disclosed vulnerabilities, RedSun, without any CVE or public advisory, despite signs suggesting exploit activity. The other vulnerabilities remain unpatched, Related:Cyber Pioneers Ponder Past as Prologue In response to a Dark Reading request on the latest disclosures from Nightmare Eclipse, a Microsoft spokeswoman said the company is aware of the "purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services." Microsoft is committed to investigating reported security issues and updating impacted products to protect customers as soon as possible, the company's statement read. "Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public." Nightmare Eclipse's disclosures reveal significant weaknesses — some of them unfixable — in components that are supposed to be the foundation of Windows security, says Christine Barry, senior chief cybersecurity storyteller at Barracuda. "Three exploits target privilege escalation, one disables Defender's ability to detect threats, another bypasses BitLocker drive encryption, and one exposes a vulnerability that was said to be patched in 2020 but remains exploitable on fully updated Windows 11 systems today," Barry says. When used together, these vulnerabilities present attackers with an operational attack chain. The exploits show that assumptions about Defender, Bitlocker, and Microsoft security patches can all be challenged, she added. Microsoft's Disclosure Model Raises the Stakes "Microsoft is dealing with an uncontrollable disclosure model and an extortion actor that isn't making demands," Barry says. "Traditional coordinated vulnerability disclosure gives vendors a window to patch before exploits go public. Nightmare Eclipse has rejected that model entirely — timing releases immediately after Patch Tuesday to maximize the gap before the next patch cycle." The exploitability of the disclosed vulnerabilities varies widely, says Kieran Human, lead cybersecurity engineer at ThreatLocker. "MiniPlasma is relatively easy to exploit and is probably the most immediately concerning," he says. Others are much more limited, he points out. YellowKey requires physical access, which reduces the risk outside of insider scenarios. GreenPlasma is incomplete in its current form, since the published proof-of-concept still triggers a consent prompt and would require additional development to be useful. The biggest takeaway from Nightmare Eclipse's vulnerability disclosures is that organizations can't build security strategies around the assumption that patching alone will keep systems secure, Human says. Researchers will keep discovering new vulnerabilities and organizations will need to come to grips with that reality and respond accordingly. "That means implementing deny-by-default defenses such as allowlisting, application containment, and similar controls that block the execution of unrecognized code and restrict privileges," Human says. "In many cases, those controls can stop exploit execution entirely. In others, they help contain the impact and limit lateral movement. [Endpoint detection and response] should be viewed as a last line of defense for when preventative strategies have failed." LevelBlue's Siegler perceives Microsoft's response so far as understandable given the circumstances. "They need to ensure a patch can be developed that won't interfere with existing software while also verifying it fully resolves the vulnerability," he says. "Sometimes, zero-days like this are simply the tip of the iceberg when you dig deeper. And releasing a partial patch looks worse than making sure you've minded all of the p's and q's." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a veteran technology journalist with more than 25 years of experience covering cybersecurity. His reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies. Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as Senior Editor at Computerworld where he covered information security and data privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Mointor Passcode, The Economic Times and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in Statistics. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Acc