Windows vulnerabilities zero-day BitLocker Microsoft Defender patch management

One Researcher Is Making Microsoft's Life Very Difficult, Six Weeks Running

20 May 2026

A security researcher known as "Nightmare Eclipse" has disclosed six Windows vulnerabilities over six weeks, including three new ones — YellowKey, GreenPlasma, and MiniPlasma — revealed shortly after Microsoft's May 2026 Patch Tuesday. These flaws target core Windows security components, enabling attacks such as BitLocker bypass, privilege escalation to SYSTEM, and exploitation of a vulnerability Microsoft believed it had patched in 2020. Microsoft has only officially patched one of the six flaws so far, and experts warn that the researcher's deliberate timing — releasing disclosures immediately after Patch Tuesday — maximises the window of exposure before the next patch cycle.

A security researcher going by 'Nightmare Eclipse' has now dropped six Windows vulnerabilities in six weeks, and the pace isn't slowing. Three more landed in the days immediately after Microsoft's May 2026 Patch Tuesday, tracked as YellowKey, GreenPlasma, and MiniPlasma. The timing appears deliberate: release right after a patch cycle, maximise the window before Microsoft can respond.

YellowKey is arguably the most alarming for anyone running BitLocker. According to researchers at LevelBlue, an attacker with physical access and a USB drive can bypass BitLocker encryption entirely, no credentials, no PIN, no TPM gymnastics required. Insert the device, trigger a reboot into the Windows Recovery Environment, hit the right key combination, and the encryption is effectively worthless. The scenario is constrained by the need for physical access, but that's cold comfort for anyone whose laptop gets left unattended.

GreenPlasma is a local privilege escalation bug affecting Windows 10, Windows 11, and Windows Server. It exploits the Windows text input services component to push access up to SYSTEM level. The published proof-of-concept doesn't quite complete that final step, which means attackers need some knowledge of Windows internals to finish the job. That's a meaningful barrier, but not an insurmountable one. Karl Sigler from LevelBlue's SpiderLabs team notes the realistic attack path: convince someone to install remote monitoring software through social engineering, use that access remotely, then trigger the escalation to climb from standard user to SYSTEM.

MiniPlasma is a different kind of embarrassment for Microsoft. It's not a new vulnerability. CVE-2020-17103 is an elevation-of-privilege flaw in the Windows Cloud Files Mini Filter Driver that Google's Project Zero flagged back in 2020. Microsoft patched it. Apparently not thoroughly enough, because the original proof-of-concept exploit still works unmodified on fully updated Windows 11. Nightmare Eclipse claims to have turned that PoC into a working weaponised exploit giving attackers full system control.

The earlier three disclosures from the same researcher targeted Microsoft Defender. BlueHammer and RedSun could essentially flip Defender into an attack tool against the users it's meant to protect. UnDefend degraded Defender's threat detection over time. Microsoft has only formally acknowledged BlueHammer with a CVE and patch, and CISA added it to its known exploited vulnerabilities catalogue. RedSun appears to have been quietly addressed with no public advisory and no CVE, despite apparent signs of active exploitation. The rest remain unpatched.

Microsoft's public response has been careful. A spokeswoman said the company is aware of the claimed vulnerabilities and is investigating their validity, adding the standard line about supporting coordinated disclosure. Which is a pointed remark given that Nightmare Eclipse has rejected that model entirely.

The strategic problem Microsoft faces is unusual. Christine Barry from Barracuda put it plainly: this isn't a researcher making demands, it's someone running an uncontrollable disclosure campaign timed specifically to widen the gap between patch cycles. There's no negotiation happening here.

The exploitability of the new trio varies considerably. Kieran Human from ThreatLocker rates MiniPlasma as the most immediately concerning given how straightforward it is to use. YellowKey's physical access requirement limits its reach outside insider threat scenarios. GreenPlasma's incomplete PoC means it needs more development work before it becomes a turnkey attack.

The broader lesson, which Human and others are pushing, is that patch management alone was never sufficient and these disclosures make that very hard to ignore. Allowlisting, application containment, and default-deny controls can stop exploit execution outright in many cases. Where they don't, they limit the blast radius. EDR, he argues, should be treated as a fallback for when the preventative layers have already failed, not the primary defence.

LevelBlue's Sigler is sympathetic to Microsoft's position on timing, noting that rushing a patch risks breaking existing software or only partially addressing the underlying issue. Sometimes pulling on one thread reveals a much larger problem underneath. That's a reasonable defence. Whether it satisfies the organisations currently running unpatched systems is another matter.