Microsoft Addresses Critical Zero-Day Vulnerabilities: YellowKey, GreenPlasma, and MiniPlasma
Executive Summary
In June 2026, Microsoft addressed three critical zero-day vulnerabilities—YellowKey, GreenPlasma, and MiniPlasma—disclosed by the researcher 'Nightmare Eclipse.' YellowKey (CVE-2026-45585) allowed attackers with physical access to bypass BitLocker encryption via the Windows Recovery Environment. GreenPlasma (CVE-2026-45586) and MiniPlasma (CVE-2020-17103) were privilege escalation flaws in the Collaborative Translation Framework and Cloud Files Mini Filter Driver, respectively, enabling local attackers to gain SYSTEM privileges on fully patched Windows systems. These vulnerabilities were patched in Microsoft's June 2026 Patch Tuesday updates. (bleepingcomputer.com)
The disclosure of these vulnerabilities highlights ongoing challenges in vulnerability management and coordinated disclosure practices. The public release of proof-of-concept exploits prior to patches underscores the need for robust security measures and prompt patch management to mitigate potential threats.
Why This Matters Now
The public disclosure of these zero-day vulnerabilities before patches were available exposes systems to potential exploitation, emphasizing the critical importance of timely patching and coordinated vulnerability disclosure practices to maintain system security.
Attack Path Analysis
An attacker with physical access exploited the YellowKey vulnerability to bypass BitLocker encryption, gaining unauthorized access to the system. Subsequently, they leveraged the GreenPlasma and MiniPlasma vulnerabilities to escalate privileges to SYSTEM level. With elevated privileges, the attacker moved laterally across the network, accessing additional systems. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker deployed ransomware, encrypting critical files and disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
An attacker with physical access exploited the YellowKey vulnerability to bypass BitLocker encryption, gaining unauthorized access to the system.
Related CVEs
CVE-2026-45585
CVSS 6.8A security feature bypass vulnerability in Windows Recovery Environment (WinRE) allows attackers with physical access to bypass BitLocker protection.
Affected Products:
Microsoft Windows 11 – 24H2, 25H2, 26H1
Microsoft Windows Server – 2025
Exploit Status:
proof of conceptCVE-2026-45586
CVSS 7.8An elevation of privilege vulnerability in the Collaborative Translation Framework (CTFMON) allows local attackers to obtain SYSTEM permissions.
Affected Products:
Microsoft Windows 11 – 24H2, 25H2, 26H1
Microsoft Windows Server – 2025
Exploit Status:
proof of conceptCVE-2020-17103
CVSS 7An elevation of privilege vulnerability in the Cloud Files Mini Filter Driver allows local attackers to obtain SYSTEM permissions.
Affected Products:
Microsoft Windows 10 – 1803, 1809, 1903, 1909, 2004, 20H2
Microsoft Windows Server – 2016, 2019
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism: Bypass User Account Control
Modify Authentication Process: Domain Controller Authentication
Unsecured Credentials: Credentials in Files
Impair Defenses: Disable or Modify Tools
Valid Accounts: Local Accounts
Hardware Additions
Firmware Corruption
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect stored cardholder data
Control ID: 3.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Microsoft zero-day exploits enable SYSTEM privilege escalation and BitLocker bypass, threatening transaction systems, customer data protection, and regulatory compliance requirements.
Health Care / Life Sciences
YellowKey, GreenPlasma, MiniPlasma vulnerabilities compromise patient data security through privilege escalation attacks, violating HIPAA encryption and access control mandates.
Government Administration
Zero-day Windows exploits grant unauthorized SYSTEM access and bypass disk encryption, exposing classified information and critical infrastructure to privilege escalation attacks.
Information Technology/IT
Microsoft Defender bypass capabilities and Windows privilege escalation exploits directly impact IT security infrastructure, requiring immediate patch deployment and system hardening.
Sources
- Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-dayshttps://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/Verified
- Security Update Guide - Microsoft Security Response Centerhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585Verified
- NVD - CVE-2026-45585https://nvd.nist.gov/vuln/detail/CVE-2026-45585Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely constrain the attacker's ability to move laterally, establish command and control channels, and exfiltrate data, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial physical access, it would likely limit the attacker's ability to exploit this access to compromise additional systems.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to exploit escalated privileges to access other systems or sensitive data.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally across the network, thereby reducing the scope of the attack.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish and maintain command and control channels.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate sensitive data from the network.
While Aviatrix Zero Trust CNSF may not prevent the deployment of ransomware, it would likely limit the attacker's ability to propagate the ransomware across the network, thereby reducing the overall impact.
Impact at a Glance
Affected Business Functions
- Data Security
- System Integrity
Estimated downtime: N/A
Estimated loss: N/A
Potential access to BitLocker-protected data on compromised systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement physical security measures to prevent unauthorized access to devices.
- • Apply the latest security patches to remediate known vulnerabilities like YellowKey, GreenPlasma, and MiniPlasma.
- • Enforce Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
