Windows Zero-Days Let Patched PCs Hand Over SYSTEM

Fully patched Windows systems still exposed attackers to SYSTEM-level access until Microsoft’s June 2026 Patch Tuesday closed two local privilege escalation zero-days and a third flaw tied to BitLocker-protected drives, according to BleepingComputer.

That’s the uncomfortable signal beneath the headline. Patching mattered, but prior update hygiene did not eliminate exposure before Microsoft shipped these fixes. The affected flaws, YellowKey, GreenPlasma, and MiniPlasma, show how quickly endpoint trust can narrow when Windows internals, recovery tooling, and encryption boundaries become attack surfaces.

Microsoft fixed the three issues as part of its June 2026 Patch Tuesday updates. The timing matters because all three had already been publicly disclosed by a researcher using the “Nightmare Eclipse” handle, in protest over how the Microsoft Security Response Center handles vulnerability disclosure.

Fully patched Windows still had a SYSTEM problem

Two of the bugs, GreenPlasma and MiniPlasma, gave local attackers a path to a shell with SYSTEM permissions on fully patched Windows systems. GreenPlasma is tracked as CVE-2026-45586 and was found in the Collaborative Translation Framework, or CTFMON. MiniPlasma is tracked as CVE-2020-17103 and affects the Cloud Files Mini Filter Driver.

The third issue, YellowKey, tracked as CVE-2026-45585, sits in a different category. BleepingComputer describes it as a backdoor in the Windows Recovery Environment, or WinRE, which Windows uses to repair boot-related problems. Attackers with physical access could use it to bypass BitLocker protection on unpatched Windows 11 and Windows Server 2022/2025 systems.

That combination is more serious than a routine bug batch. One class of flaws helps an intruder climb from limited local access to machine-level control. The other cuts into a control many enterprises treat as a last-resort shield when a device is lost, stolen, or otherwise exposed.

GreenPlasma and MiniPlasma turned local access into a higher-privilege attack path

A local privilege escalation bug does not usually hand an attacker the front door by itself. It becomes powerful after the attacker has some initial access, whether through another vulnerability, a compromised account, or another foothold already present on the machine.

The prize is SYSTEM. In Windows security terms, that’s not a cosmetic escalation. It changes what the attacker can attempt on the endpoint and forces defenders to treat the device as materially more compromised than a standard user session.

XOOMAR analysis: The phrase “fully patched Windows systems” is the operational punchline. It means defenders who had already applied prior updates still needed the June 2026 fixes to close these paths. Patch compliance before Tuesday did not equal protection against these specific disclosures.

Security teams should read GreenPlasma and MiniPlasma less as isolated bugs and more as a reminder that endpoint security depends on sequence. Initial access, local escalation, endpoint visibility, and response speed all matter. If one layer fails quietly, the next layer needs to catch the movement.

That’s why Patch Tuesday has become less of a calendar task and more of a live exposure race. XOOMAR has covered that operational pressure in 200 Microsoft Fixes Turn Patch Tuesday Into a Fire Drill, and the same pattern applies here: the update is only useful once it’s deployed, rebooted where required, and verified across real assets.

YellowKey cuts into BitLocker’s last-line role

YellowKey lands differently because it touches BitLocker-protected drives. BitLocker is often treated as the control that keeps local data protected when physical custody of a device is lost or contested. A flaw that grants access to protected drives narrows that assurance.

BleepingComputer reports that attackers need physical access to targeted devices to use a YellowKey exploit. That limits the scenario, but it doesn’t make the issue academic. Laptops, servers in shared environments, and devices moving through repair or recovery workflows all create situations where physical access is part of the risk model.

Microsoft also shared mitigation measures for YellowKey and criticized the public release of the proof-of-concept.

Microsoft said the proof-of-concept had “been made public violating coordinated vulnerability best practices.”

After patching, enterprise teams should verify more than update status. They should check BitLocker status, recovery key handling, device health signals, and endpoint logs for unusual local access activity. That’s not because the source reports confirmed exploitation of YellowKey in the wild. It’s because the control affected here is supposed to preserve data protection when other assumptions fail.

Patch Tuesday numbers are less important than zero-day status here

The hard count in this story is simple: three zero-days tied to this disclosure wave were addressed in the June 2026 Patch Tuesday cycle. Two are privilege escalation issues. One is a BitLocker-related access issue through WinRE.

For prioritization, zero-day status should outrank abstract scoring debates. Public proof-of-concept code compresses the defender’s response window. Even when exploitation has not been reported for a specific bug, public technical detail can accelerate testing by both defenders and attackers.

Security teams should measure deployment in operational terms:

• Coverage: Which Windows 11 and Windows Server 2022/2025 assets received the June 2026 updates?
• Completion: Which devices installed patches but still need restart?
• Exceptions: Which endpoints are blocked by compatibility, maintenance windows, or ownership gaps?
• Detection: Which EDR alerts map to local privilege escalation behavior or suspicious WinRE activity?
• Timing: What percentage of endpoints were patched within 24, 48, and 72 hours?

This is the same zero-day response muscle companies need outside Microsoft as well. Browser emergency updates create the same verification burden, as XOOMAR covered in Fifth Chrome Zero-Day Forces an Urgent Google Patch.

The disclosure fight is now part of the threat surface

The technical story is only half of this incident. The disclosure path made the risk sharper.

BleepingComputer reports that all three flaws were disclosed last month by Nightmare Eclipse, who released them in protest over MSRC’s handling of the disclosure process. The same researcher has also released proof-of-concept exploits for BlueHammer, tracked as CVE-2026-33825, and RedSun, which has no identifier in the supplied source. Those two local privilege escalation zero-days are now actively exploited in attacks, according to BleepingComputer.

The researcher also leaked UnDefend, described as a zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates. On Tuesday, they also released a Microsoft Defender zero-day exploit named RoguePlanet, which BleepingComputer says lets threat actors spawn command prompts with SYSTEM privileges.

Microsoft’s response has been messy. The company initially reacted to the zero-day leaks with threats of legal action, then backed off after social media backlash. BleepingComputer says Microsoft later said it would work with law enforcement when security researchers “breaks the law and engages in malicious activity causing real harm to our customers.”

That unresolved dispute matters because it keeps feeding a predictable cycle: disclosure, proof-of-concept publication, defender scramble, patch release, verification lag. The motive dispute does not reduce the technical risk. If anything, it makes the release cadence harder for enterprises to plan around.

The next test is proof of deployment, not Microsoft’s bulletin

The immediate action is plain: prioritize the June 2026 Windows updates, confirm installation, force pending reboots where operationally safe, and audit high-risk systems first. For YellowKey, give extra attention to devices where physical access risk is credible and where BitLocker is a key control.

But the better response goes beyond patching. Security teams should tune endpoint detection for privilege abuse, reduce unnecessary local admin rights, review BitLocker recovery key storage, and hunt for signs of suspicious local execution around the affected systems. Those are defensive steps tied to the reported impact, not claims that these exact outcomes have already occurred.

The scenario to watch now is whether delayed patching turns public proof-of-concept code into broader exploitation. Evidence that would strengthen that concern includes new reports of attacks tied specifically to GreenPlasma, MiniPlasma, or YellowKey, or detections showing repeated attempts against the named Windows components.

Evidence that would weaken it is just as practical: fast deployment rates, low reboot backlog, clean endpoint telemetry, and no confirmed exploitation tied to these three flaws after the patch window. For Windows defenders, the story doesn’t end when Microsoft ships the fix. It ends when the fleet proves it absorbed it.

Impact Analysis

• Fully patched Windows systems remained exposed until Microsoft released the June 2026 fixes.
• Two flaws could let local attackers gain SYSTEM-level control, increasing the risk after initial compromise.
• YellowKey shows that recovery tooling and physical access can threaten BitLocker-protected devices.