Full Report
On Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives. [...]
Analysis Summary
This summary details three high-impact zero-day vulnerabilities patched by Microsoft in the June 2026 update cycle, originally disclosed by a researcher under the handle "Nightmare Eclipse."
---
# Vulnerability: GreenPlasma & MiniPlasma (LPE)
## CVE Details
- **CVE ID:** CVE-2026-45586 (GreenPlasma) and CVE-2020-17103* (MiniPlasma)
- **CVSS Score:** 7.8 (High) - *Estimated based on typical LPE impact*
- **CWE:** CWE-269 (Improper Privilege Management)
*(Note: CVE-2020-17103 is referenced in the source text, though it may represent a re-used or related identifier for the Cloud Files Mini Filter Driver flaw.)*
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Fully patched Windows 10, Windows 11, and Windows Server versions (up to June 2026).
- **Configurations:** Systems running Collaborative Translation Framework (CTFMON) or the Cloud Files Mini Filter Driver.
## Vulnerability Description
These vulnerabilities allow for **Local Privilege Escalation (LPE)**.
- **GreenPlasma** targets the Collaborative Translation Framework (CTFMON), a long-standing Windows service.
- **MiniPlasma** targets the Cloud Files Mini Filter Driver.
By exploiting these flaws, a user with low-level access can bypass security boundaries to execute code with **SYSTEM** privileges, the highest level of authorization on a Windows host.
## Exploitation
- **Status:** Exploited in the wild; Proof of Concept (PoC) available.
- **Complexity:** Low
- **Attack Vector:** Local (Requires initial access to the system).
## Impact
- **Confidentiality:** High (Full access to system files).
- **Integrity:** High (Can modify system binaries and security settings).
- **Availability:** High (Can disable services or crash the OS).
---
# Vulnerability: YellowKey (BitLocker Bypass)
## CVE Details
- **CVE ID:** CVE-2026-45585
- **CVSS Score:** 6.8 (Medium)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** Microsoft Windows 11 and Windows Server 2022/2025.
- **Configurations:** Systems utilizing BitLocker encryption.
## Vulnerability Description
YellowKey is a logic flaw acting as a backdoor within the **Windows Recovery Environment (WinRE)**. WinRE is used for repairing boot issues; however, the vulnerability allows an attacker to manipulate the recovery process to bypass BitLocker disk encryption without the recovery key.
## Exploitation
- **Status:** Exploited in the wild; PoC available.
- **Complexity:** Medium
- **Attack Vector:** Physical (Requires hands-on access to the device).
## Impact
- **Confidentiality:** High (Access to encrypted data on the drive).
- **Integrity:** Medium (Ability to modify boot files).
- **Availability:** Low.
---
# Remediation & Detection
## Remediation
### Patches
- Apply the **June 2026 Patch Tuesday** security updates immediately.
- Ensure WinRE partitions are updated specifically to address the YellowKey bypass.
### Workarounds
- **YellowKey:** Microsoft recommends restricting physical access to sensitive devices and ensuring UEFI passwords are set to prevent unauthorized booting into recovery environments.
- **LPEs:** Implement the principle of least privilege (PoLP) to give users the minimum level of access required, limiting the "blast radius" of a local exploit.
## Detection
- **Indicators of Compromise:**
- Unexpected spawning of `cmd.exe` or `powershell.exe` with SYSTEM privileges originating from `ctfmon.exe`.
- Unusual activity involving the Cloud Files Mini Filter Driver.
- **Detection methods:**
- Monitor for unauthorized access to the Windows Recovery Environment.
- Use EDR/SIEM tools to flag suspicious privilege escalation patterns.
## References
- [https://msrc.microsoft[.]com/update-guide/vulnerability/CVE-2026-45586]
- [https://msrc.microsoft[.]com/update-guide/vulnerability/CVE-2026-45585]
- [https://www.bleepingcomputer[.]com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-3-zero-day-200-flaws/]