Windows zero-day proliferation — YellowKey (BitLocker), GreenPlasma (CTFMON SYSTEM LPE), MiniPlasma — three PoCs, no OOB patch

On 2026-05-15, two zero-days from "Nightmare Eclipse" / "Chaotic Eclipse" appeared simultaneously: "YellowKey" (TPM-only BitLocker bypass via WinRE FsTx path manipulation) and "GreenPlasma" (CTFMON.exe SYSTEM privilege escalation via IPC flaw). Both had working public PoCs with no CVE assigned. By 2026-05-17, a third PoC — "MiniPlasma" — appeared, targeting CVE-2020-17103 in the Cloud Filter driver (cldflt.sys) — a different vulnerability class from the CTFMON-based GreenPlasma, attributed to the same researcher ecosystem. Microsoft has not released an out-of-band patch for any of the three. The earliest expected fix window is June 2026 Patch Tuesday (approximately 2026-06-10).

YellowKey particularly affects laptops with TPM-only BitLocker (no PIN), which is the default configuration in most cantonal and federal laptop refresh programmes. Controls while awaiting patch: enable BitLocker Network Unlock for domain-joined workstations (eliminates the WinRE bypass vector when off-network); apply AppLocker/WDAC rules blocking unsigned code injection into ctfmon.exe; hunt via Sysmon EID 10 (process access to ctfmon.exe from anomalous parent processes) and Event ID 4688 (process creation). No confirmed ITW exploitation of any of the three as of 2026-05-18.