![\"Windows](\"https:\/\/www.newsbeep.com\/au\/wp-content\/uploads\/2026\/05\/1778688130_177_0x0.jpg\")
<\/p>\n<\/p>\n
Angry hacker drops more Windows 0-Days in ongoing campaign.<\/p>\n
NurPhoto via Getty Images<\/p>\n
Updated May 14: This article, originally published May 13, reveals two new Windows zero-day exploits that have been publicly disclosed by a disgruntled security researcher with a bee in their bonnet regarding the way that the Microsoft Security Response Center deals with vulnerability reports. It has now been updated to include details from the May Patch Tuesday security rollout, which the hacker timed to follow the zero-day drops and has threatened to target next month as well.<\/p>\n
The day following the Microsoft Patch Tuesday security updates rollout is known in cybersecurity circles as Exploit Wednesday. This month, there is more reason than ever to take that very seriously indeed. While Microsoft didn\u2019t patch any \u201cin the wild\u201d vulnerabilities this time, an angry hacker known by the monikers Chaotic Eclipse and Nightmare Eclipse decided to synchronize the public disclosure of no less than two zero-day exploits with the official release. Here\u2019s what you need to know, and do, about the YellowKey and GreenPlasma exploits.<\/p>\n
Forbes\u2018Won\u2019t Fix\u2019\u2014All VPN Apps Affected As Google Android 16 Leaks InfoBy Davey Winder<\/a>What You Need To Know About The YellowKey And GreenPlasma Microsoft Windows Zero-Day Exploits<\/p>\n Hell hath no fury like a security researcher scorned. Well, that appears to be so in the case of a bug bounty hacker known as Chaotic Eclipse, who has a history when it comes to posting Windows zero-days after being unhappy over communications with the Microsoft Security Response Center. Having publicly released exploit code for a zero-day in April, that went by the name of BlueHammer<\/a> and turned Microsoft Defender\u2019s own update workflow into a credential theft mechanism, they are now at it again. <\/p>\n \u201cMicrosoft has chosen to make this worse instead of resolving the situation like adults,\u201d Chaotic Eclipse said, \u201cthey pulled every childish game possible. My patience is running out you’re making everyone else paying for it.\u201d The security researcher on a mission went on to address Microsoft security directly, saying, \u201cI\u2019m not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer,\u201d warning that the \u201cfire will go as long as you want, unless you extinguish it or until there nothing left to burn.\u201d<\/p>\n The latest fuel comes in the form of two new zero-day exploits called YellowKey<\/a> and GreenPlasma. The first is a Windows BitLocker encryption bypass, the second a Windows CTFMON arbitrary section creation elevation of privileges vulnerability. Together, within 24 hours of the public proof of exploit code being published, they have already been used in active attack campaigns<\/a>. <\/p>\n Forbes\u2018Significant Threat\u2019\u2014Billions Of Gmail Users At Risk From Google Security GaffeBy Davey Winder<\/a><\/p>\n \u201cBoth of the released exploit POCs suggest significant, potentially systemic flaws in how modern Windows operating system features handle path trust (GreenPlasma) and recovery (YellowKey),\u201d Gavin Knapp, cyber threat intelligence principal lead at Bridewell, said. Microsoft is not the only vendor suffering from such issues, as is evident in my exclusive report<\/a> on architectural failings in security mechanisms designed to protect Google Drive and Gmail users. Historical system vulnerabilities are being found rapidly, Knapp wanted, \u201cwhich is likely due to skilled researchers leveraging AI<\/a> to expedite and scale vulnerability research and exploit development.\u201d <\/p>\n Organizations should treat this as an active threat, Neena Sharma, a cybersecurity specialist at Filigran, told me, advising them to \u201cassess their exposure immediately, particularly for devices in high-risk physical access scenarios such as field devices, and shared workstations.\u201d Because immediate patching isn\u2019t possible at the time of writing, Sharma suggested implementing \u201ccompensating controls like restricting USB boot access.”<\/p>\n Meanwhile, Chaotic Eclipse has issued the following warning to the Microsoft Security Response Center: \u201cYour recent actions made me take the difficult decision to drag other companies into this, be prepared to answer questions. The Microsoft May Patch Tuesday Rollout Details<\/p>\n John Carberry, a \u2018solution sleuth\u2019 with Xcape, Inc., told me that the May Patch Tuesday rollout from Microsoft is a game changer: \u201cWith 138 vulnerabilities patched this month – the second-largest volume in history – and over 500 CVEs addressed since January, Microsoft is on pace to shatter the 2020 record of 1,245 annual patches.\u201d So, what are the main takeaways once you start delving into the long list of vulnerabilities?<\/p>\n Adam Barnett, principal software engineer at Rapid7, confirmed that \u201cMicrosoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities,\u201d which is the good news, especially in light of the Chaotic Eclipse zero-day drop. However, Barnett advised that \u201canyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089, which is a critical stack-based buffer overflow in Windows Netlogon.\u201d<\/p>\n
Next Patch Tuesday<\/a> will have a big surprise for you, Microsoft. And remember, I never failed to deliver a promise.\u201d<\/p>\n