ctipilot.ch

Home · Live brief · Weekly 2026-W21

Windows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasma

notable synthesis discovered 2026-05-18 05:00 UTC

Entities: Nightmare Eclipse

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

The researcher cluster "Chaotic Eclipse" / "Nightmare Eclipse" continued releasing unpatched Windows LPE/bypass PoCs across the window. On 2026-05-19 a third PoC — MiniPlasma — landed, targeting the cldflt.sys CfAbortHydration path and claiming a re-exploitable regression of the 2020-era CVE-2020-17103. On 2026-05-20 Microsoft formally assigned CVE-2026-45585 to the BitLocker/WinRE bypass (YellowKey) disclosed on 2026-05-12 and published a WinRE mitigation — but confirmed there is still no security update for the cluster; the earliest fix window remains the June 2026 Patch Tuesday. Three public PoCs (YellowKey, GreenPlasma, MiniPlasma) now exist against the Windows-centric desktop estates standard in CH/EU federal and cantonal administrations. Until a patch ships, enforce BitLocker PIN/Network-Unlock GPOs and AppLocker/WDAC rules on ctfmon.exe injection paths, and segregate privileged accounts from the workstation tier.

vulnerabilities lpe priv-esc poc-public no-patch global CVE-2026-45585 CVE-2020-17103