Threat Bulletin

Nightmare Eclipse: Seven Windows Zero-Days

Microsoft Windows — Defender, BitLocker, Cloud Files Driver, CTFMON | Severity: HIGH | Active exploitation confirmed (BlueHammer, RedSun, UnDefend)

Summary

Between April 2 and June 10, 2026, a researcher operating as “Nightmare Eclipse” publicly released eight working proof-of-concept exploits targeting core Windows security components — Microsoft Defender, BitLocker, and Windows kernel drivers. Each release was deliberately timed for the days after a Patch Tuesday, ensuring no fix would be available for weeks. BlueHammer, RedSun, and UnDefend were confirmed to be exploited in the wild. RoguePlanet and GreatXML (Released June 9 and 10) have no patch and no confirmed in-the-wild exploitation as of this writing; however, working exploit code is publicly available.

Microsoft’s June 2026 Patch Tuesday patched YellowKey, GreenPlasma, and MiniPlasma. BlueHammer was patched in April. RedSun and UnDefend were fixed via an out-of-band Defender engine update on May 21. The researcher previously threatened a significant release on July 14 (next Patch Tuesday); as of today, that commitment has been partially walked back but not fully withdrawn. Monitor accordingly.

 

Exploit Catalog

Exploit CVE CVSS CVSS Affected Patch status KEV Tenable
BlueHammer CVE-2026-33825 7.8 LPE Win 10/11; Svr 2016–2025 Patched Apr 2026 YES — KEV 306740, see MSRC
RedSun CVE-2026-41091 N/A LPE Win 10/11; Svr 2016–2025 Patched May 21 (OOB) YES — KEV† 316462
UnDefend CVE-2026-45498 N/A DoS/Evasion Win 10/11; Svr 2016–2025 Patched May 21 (OOB) YES — KEV† 316484
YellowKey CVE-2026-45585 6.8 BitLocker bypass Win 11 (24H2–26H1); Svr 2025‡ Patched Jun 2026 NO June PT plugins
GreenPlasma CVE-2026-45586 7.8 LPE Win 10/11; Svr (see note) Patched Jun 2026 NO June PT plugins
MiniPlasma CVE-2020-17103 7.8§ LPE (regression) Win 10/11; Svr 2016–2025 Patched Jun 2026 NO 316497
RoguePlanet No CVE assigned N/A LPE Win 10/11 (fully patched) NO PATCH NO None
GreatXML No CVE assigned N/A BitLocker bypass & LPE Win 10/11; Svr 2016–2025 NO PATCH NO None

† RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) patched via out-of-band Defender engine update May 21, 2026; added to CISA KEV (FCEB deadline June 3, 2026). ‡ MSRC advisory lists Win11 24H2/25H2/26H1 and Server 2025 as confirmed scope; Server 2022 cited by researcher PoC but not confirmed in MSRC advisory. § NVD CVSS: 7.8; Microsoft CNA: 7.0. ¶ GreenPlasma scope per MSRC advisory — check msrc.microsoft.com for confirmed product list.

 

What This Means for Healthcare Organizations

  • Five of eight exploits target Microsoft Defender. Successful exploitation yields SYSTEM-level access from any low-privilege user account. Confirm that the June Patch Tuesday is fully deployed and that the Defender platform is current across all Windows endpoints.
  • YellowKey (CVE-2026-45585) enables unauthenticated access to encrypted drive contents with physical device access. Any Windows 11 or Server 2025 device with TPM-only BitLocker that left your environment before today’s patch is in scope. Today’s patch closes this gap.
  • MiniPlasma (CVE-2020-17103) is a 2020 ‘fixed’ vulnerability that remained exploitable on fully patched systems in May 2026. The original Google Project Zero PoC ran unchanged until today’s June PT. Tenable Plugin 316497 confirms exposure.
  • RoguePlanet and GreatXML have no patch and no CVE as of today. Both vulnerabilities allow for a SYSTEM shell on Windows 10 and 11 with June 2026 updates installed. GreatXML additionally allows for BitLocker bypass. No in-the-wild exploitation confirmed yet for either. RoguePlanet was validated independently by Will Dormann (Tharros). Application allowlisting is the only available technical control for RoguePlanet. No controls are available yet for GreatXML; however, machines are only vulnerable if they have previously run a Defender Offline Scan or can boot into WinRE in Offline Scan State.
  • Windows 10 GAC editions (Home, Pro, Education, Enterprise 22H2) are past end of support as of October 14, 2025, and receive no patches without paid ESU enrollment. LTSC 2021 and ESU-enrolled devices received patches today (KB5094127). Non-ESU Win10 GAC devices are unpatched against this entire campaign.

 

Recommendations

  • Apply June 2026 Patch Tuesday immediately. KB5094126 (Win11) / KB5094127 (Win10 ESU/LTSC). Priority CVEs: CVE-2026-45585 (YellowKey), CVE-2026-45586 (GreenPlasma), CVE-2020-17103 (MiniPlasma). Validate MiniPlasma remediation via Tenable Plugin 316497.
  • Verify Defender Antimalware Platform version. Platform 4.18.26040.x or higher covers BlueHammer, RedSun, and UnDefend. June PT updates the additional Defender surface. Check via Windows Security > Virus and Threat Protection > Protection updates.
  • Audit portable and mobile devices for BitLocker exposure. Identify Windows 11 and Server 2025 endpoints that were left in physical control before today. Flag TPM-only BitLocker configurations. Apply the patch before redeployment. Interim hardening: add a BitLocker PIN in addition to the TPM.
  • Deploy application allowlisting for RoguePlanet. No patch exists. ThreatLocker, WDAC, or AppLocker in deny-by-default mode is your only technical control until Microsoft releases a fix.
  • Inventory Windows 10 edition and support status. Identify all Win10 GAC devices not enrolled in ESU. These are not receiving security patches. Isolate, migrate, or enroll in ESU. Do not conflate with LTSC 2021 or IoT Enterprise LTSC devices, which remain supported.
  • Monitor for further disclosures. The researcher previously threatened a release on July 14 (next Patch Tuesday). As of today, that commitment has been partially walked back. Keep monitoring MSRC advisories and the researcher’s blog at deadeclipse666[.]blogspot[.]com.

 

Sources

 



From Fortified Health Security

Fortified Health Security is committed to maturing your healthcare organization’s cybersecurity posture. We will monitor and update this bulletin as the situation progresses.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

Should you have any questions about this threat or any other issue you are facing, please reach out to us. We’re here to help you on your cybersecurity journey.

Email: connect@fortifiedhealthsecurity.com    Phone: 615-600-4002

Share