Windows Hit by Post-Patch Tuesday Zero-Day Blitz
Security researcher Chaotic Eclipse has disclosed three new Windows zero-day vulnerabilities following the May 2026 Patch Tuesday. To date, only one of the six…
Key Takeaways
- Researcher Chaotic Eclipse has disclosed six vulnerabilities in six weeks; only BlueHammer (CVE-2026-33825) has received an official patch and been added to the CISA KEV catalog.
- YellowKey (CVE-2026-45585, CVSS 6.8) enables a BitLocker bypass on Windows 11 and Windows Server 2025 via physical access and the Windows Recovery Environment.
- MiniPlasma leverages CVE-2020-17103 in the cldflt.sys driver: a December 2020 Microsoft patch appears ineffective, as the original Google Project Zero PoC remains functional.
- Microsoft has only provided a manual mitigation for YellowKey, with no automated patches available for GreenPlasma, MiniPlasma, or UnDefend.
- Security analyst Will Dormann confirmed MiniPlasma works on fully updated May 2026 Windows 11 builds, granting a SYSTEM-level cmd.exe shell.
A Six-Week Surge: Six Flaws Discovered
In the wake of the May 2026 Patch Tuesday, the researcher known as Nightmare Eclipse (or Chaotic Eclipse) has disclosed three additional Windows zero-day vulnerabilities. The flaws, dubbed YellowKey, GreenPlasma, and MiniPlasma, are the latest in a six-week disclosure cycle that raises serious questions about Microsoft's patching efficacy for critical components like BitLocker and the cldflt.sys driver.
The researcher has published technical details and proof-of-concept (PoC) code for each vulnerability. According to Barracuda’s Christine Barry, the cycle includes three privilege escalation exploits, one tool to disable Microsoft Defender, a BitLocker bypass, and a resurfaced vulnerability from 2020 that remains exploitable on modern, fully updated Windows 11 systems.
Microsoft stated it is aware of the disclosures and is investigating the claims while emphasizing its support for coordinated vulnerability disclosure. Despite this, only BlueHammer—corrected in April and listed on the CISA KEV catalog—has a formal patch. The cycle also includes RedSun, which appears to have been silently resolved without a public CVE or advisory, and UnDefend, which remains unpatched.
YellowKey: Physical Access and BitLocker Bypasses
YellowKey, tracked as CVE-2026-45585 with a CVSS score of 6.8, exploits the Windows Recovery Environment (WinRE) to circumvent BitLocker encryption. An attacker with physical access to the target machine can use a USB drive or EFI partition to load an FsTx file.
Upon rebooting into WinRE, triggering the CTRL key opens a shell with unrestricted access to the encrypted volume, bypassing the need for user credentials. The vulnerability specifically impacts Windows 11 and Windows Server 2025, jeopardizing at-rest data on systems relying solely on TPM modules for disk unlocking.
Microsoft has acknowledged the issue. In an advisory cited by The Hacker News, the vendor stated: "Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey'... The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices." While no automated patch exists, the company has released a manual mitigation involving the BootExecute value within WinRE.
"Three exploits target privilege escalation, one disables Defender's ability to detect threats, another bypasses BitLocker drive encryption, and one exposes a vulnerability that was said to be patched in 2020 but remains exploitable on fully updated Windows 11 systems today." — Christine Barry, Barracuda
MiniPlasma: The 2020 Ghost in the Driver
MiniPlasma is a particularly concerning case: it is not a new flaw, but a reactivation of CVE-2020-17103 in the Windows Cloud Files Mini Filter driver (cldflt.sys). Although Microsoft released a fix in December 2020, the researcher demonstrated that the original Google Project Zero PoC still works without modification.
Chaotic Eclipse expressed uncertainty regarding whether the issue was never truly fixed or if the patch was silently rolled back. "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes," the researcher noted.
Independent security analyst Will Dormann confirmed that MiniPlasma can launch a SYSTEM-level command prompt on Windows 11 systems running the May 2026 updates. Interestingly, the exploit failed on Insider Preview Canary builds, suggesting the flaw may be tied to specific components of the stable release branch.
Risk Mitigation and Defensive Actions
To address YellowKey, administrators must apply manual mitigations. This involves removing the autofstx.exe file from the BootExecute value within the WinRE hive and migrating BitLocker configurations from TPM-only to TPM+PIN.
Implementing a PIN adds a second authentication factor that breaks the attack chain even if an adversary manages to modify the recovery environment. This transition should be prioritized for all endpoints handling sensitive data that utilize native Windows encryption.
Since no patch is available for MiniPlasma, organizations are advised to monitor for anomalous child processes spawned by cldflt.sys and enforce the principle of least privilege for standard users. Furthermore, physical security for critical devices should be hardened, and IT teams should plan for out-of-band audits of system driver integrity.
Finally, security teams should track the CISA Known Exploited Vulnerabilities catalog for updates regarding BlueHammer (CVE-2026-33825), the only flaw in this series with an official patch, to ensure it is deployed across the enterprise. Monitoring should also focus on unusual WinRE shell activity and cldflt.sys driver behavior.
GreenPlasma and the Unpatched Pipeline
GreenPlasma affects Windows 10, Windows 11, and Windows Server, facilitating local privilege escalation (LPE) to SYSTEM. While the researcher's public PoC stops short of a final exploit stage, the potential for large-scale impact remains a concern.
UnDefend also remains without an official fix. Meanwhile, RedSun appears to have been silently patched by Microsoft without a formal advisory, despite evidence of exploit activity. At the time of writing, YellowKey, GreenPlasma, MiniPlasma, and UnDefend lack automated security updates.
BlueHammer (CVE-2026-33825) remains the outlier, having been patched during the April 2026 cycle. It currently serves as the only fully addressed vulnerability in this ongoing saga, while the remaining five—including the three new May disclosures—await a definitive response from Microsoft.
The current landscape reveals a chain of vulnerabilities that remain open to exploitation despite public pressure and available PoCs. The lack of official corrections for four out of the six flaws highlights a structural challenge in how vulnerabilities in core OS components are being managed.
Information has been verified against cited sources and is current as of the publication date.
Sources
- https://www.darkreading.com/cyberattacks-data-breaches/windows-zero-day-barrage-continues-after-patch-tuesday
- https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html
- https://thehackernews.com/2026/05/microsoft-releases-mitigation-for.html
- https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/
- https://www.schneier.com/blog/archives/2026/05/zero-day-exploit-against-windows-bitlocker.html