NEWS
Windows Zero-Days Stay Live Despite GitHub and GitLab Bans
Two of the largest code-hosting platforms have now shut the door on the Windows researcher known as Nightmare-Eclipse, and it has barely dented the danger. GitHub wiped his repositories around May 23 and GitLab suspended his account days later, yet three of his six Windows zero-day disclosures in six weeks remain unpatched, and at least one is already running in real attacks against fully updated machines.
Most of the coverage has fixed on a dated threat the researcher aimed at Microsoft for mid-July. That date is a sideshow next to the weaponized code already copied, mirrored, and folded into confirmed intrusions before either platform acted.
Why the Platform Bans Changed Nothing
The takedown sequence reads like a containment that arrived too late to contain anything. Microsoft was accused of flagging and removing the researcher’s GitHub repositories around May 23, 2026. He moved to GitLab and rebuilt the same archive, which still hosted all six exploits. That account was suspended on May 26 to 27 for distributing weaponized zero-day code.
A zero-day is a flaw the vendor has not fixed, and a weaponized proof-of-concept (PoC, working attack code that turns a theoretical bug into a usable tool) is the part defenders fear most. Pulling those files from a public host removes the storefront. It does not recall the copies that strangers already pulled down.
The researcher has since shifted publication to a personal blog. The reach is narrower than a platform with millions of developers, but the blog still lets him push binaries and source directly as long as the site stays online.
- Early April 2026: the campaign opens, driven by stated frustration that the Microsoft Security Response Center (MSRC, the team that triages reported flaws) ignored his reports.
- Six disclosures land over six weeks, each paired with working exploit code for a different bug.
- May 23: the GitHub repositories are flagged and removed.
- May 26 to 27: GitLab suspends the replacement account hosting the same six exploits.
- Now: distribution continues from a personal blog outside either platform’s control.
The Three Flaws Microsoft Still Hasn’t Fixed
Of the six bugs, Microsoft has shipped fixes for three. BlueHammer, tracked as CVE-2026-33825, was closed in the April 14 Patch Tuesday release. RedSun and UnDefend were patched out of band on May 21 as CVE-2026-41091 and CVE-2026-45498, after the security firm Huntress confirmed all three were being exploited in the wild.
That left a harder problem. YellowKey, GreenPlasma, and a third bug targeting the Windows Cloud Filter driver all stay open. The federal Cybersecurity and Infrastructure Security Agency (CISA) added the patched trio to the federal Known Exploited Vulnerabilities catalog and ordered agencies to fix CVE-2026-41091 and CVE-2026-45498 by June 3.
| Codename | Identifier | Effect | Status |
|---|---|---|---|
| BlueHammer | CVE-2026-33825 | Local privilege escalation | Patched April 14 |
| RedSun | CVE-2026-41091 | Malware Protection Engine elevation to SYSTEM | Patched May 21 |
| UnDefend | CVE-2026-45498 | Defender denial-of-service and suppression | Patched May 21 |
| YellowKey | CVE-2026-45585 | BitLocker bypass | Unpatched |
| GreenPlasma | No current CVE | Privilege escalation | Unpatched |
| MiniPlasma | No current CVE | Cloud Filter elevation to SYSTEM | Unpatched |
So three remain unpatched, and the one drawing the most alarm is the Cloud Filter bug, because independent testers confirmed it works on machines that already have every available update installed.
A Six-Year-Old Cloud Filter Bug Comes Back
MiniPlasma is not new. It targets cldflt.sys, the Windows Cloud Files Mini Filter driver, and abuses a race condition in a routine named HsmOsBlockPlaceholderAccess. A standard, unprivileged account can use it to write arbitrary registry keys into the .DEFAULT hive, which maps to the SYSTEM context. The result is a full jump from ordinary user to administrator-level control.
The same defect was first reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. Microsoft assigned it CVE-2020-17103 and shipped a fix that December. According to the original 2020 advisory for the Cloud Filter flaw, the patch was supposed to close exactly this path.
It did not hold. When the researcher published the weaponized version on May 13, 2026, he claimed Microsoft had either failed to patch the original or quietly rolled the fix back. BleepingComputer and several independent researchers then confirmed the old PoC runs without modification, giving an attacker SYSTEM access on fully patched Windows 11, along with Windows 10 and Server 2022 and 2025. A bug the world thought was buried in 2020 is once again a live tool in 2026.
How the Exploit Chain Works in Real Intrusions
Barracuda Networks reported that the researcher’s exploit chain has already turned up in confirmed network intrusions. The pattern is simple and effective: pair a privilege-escalation flaw with a way to blind the defender.
Attackers elevate to SYSTEM through BlueHammer, RedSun, or the Cloud Filter exploit, then use UnDefend to suppress Microsoft Defender so the elevation goes unseen. The privilege-escalation entry for the Malware Protection Engine flaw, described in the National Vulnerability Database listing for RedSun, shows why that combination is dangerous: it hands an intruder the keys while turning off the alarm.
Once an attacker holds SYSTEM, the next moves tend to be credential theft and lateral movement, the same playbook seen in a recent strain of Windows malware that lifts browser passwords and SSH keys. A privilege jump is rarely the goal on its own; it is the door that everything else walks through.
- Six zero-days released across six weeks, each with working exploit code.
- Three of them already listed in CISA’s exploited-vulnerabilities catalog.
- June 3 was the federal deadline to patch the two Defender bugs.
- One unpatched flaw confirmed running unmodified on fully updated systems.
Why July 14 Matters Less Than the Code Already Out
The threat that grabbed headlines was personal and specific. In a signed post addressed to Microsoft, the researcher wrote:
Mark this date, July 14th. I will make sure your bones are shattered that day.
The date is not random. It falls on the next monthly Patch Tuesday after June, the cycle Microsoft uses to ship security fixes. He also said no new disclosure was planned for June, while leaving room to change his mind, and an earlier post warned he would escalate to remote code execution (RCE, flaws that let an attacker run code on a machine over a network) if Microsoft kept ignoring him.
Treating that calendar entry as the main event gets the risk backward. The bugs already published do not wait for a date. The Cloud Filter exploit, YellowKey, and GreenPlasma are downloadable now, demonstrated to work now, and mixed into intrusions now. A threat scheduled for mid-July is leverage in a feud. The unpatched code is the part that can hurt an organization this week.
What Windows Administrators Can Do Before a Patch
There is no fix yet for the three open flaws, but the exposure is manageable with the controls most environments already run. The priority is closing what has a patch and watching closely for what does not.
- Apply the May 21 out-of-band Defender updates and confirm the engine version sits at or above the fixed build.
- Treat the CISA-listed CVEs as urgent regardless of agency status, since the catalog tracks bugs seen in real attacks.
- Monitor cldflt.sys behavior and registry writes into the .DEFAULT hive, the signature of the Cloud Filter exploit.
- Alert on Defender being disabled or tampered with, the suppression step that makes the chain quiet.
- Tighten endpoint detection and response (EDR) rules around standard-user processes that suddenly gain SYSTEM rights, the same hygiene that limits supply-chain threats like malicious npm packages caught siphoning cloud secrets.
Microsoft has acknowledged the open reports and said it is investigating, with no fix timeline given. The bans took the researcher’s storefront offline. The merchandise is still circulating, and that is the problem a takedown was never going to solve.
Frequently Asked Questions
Which of the six exploits has Microsoft patched?
Three are fixed. BlueHammer (CVE-2026-33825) shipped in the April 14 Patch Tuesday release, and RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) were patched out of band on May 21. YellowKey, GreenPlasma, and the Cloud Filter bug remain open as of late May 2026.
What does MiniPlasma do to a Windows machine?
MiniPlasma lets a standard, unprivileged user escalate to SYSTEM, the highest local privilege, by abusing a race condition in the cldflt.sys Cloud Filter driver to write registry keys into the .DEFAULT hive. It does not give remote access on its own, but it removes the boundary between a normal account and full control.
Is a fully patched Windows 11 PC safe from the Cloud Filter exploit?
No. Independent researchers confirmed the exploit runs without modification on Windows 10, Windows 11, and Windows Server 2022 and 2025 with all current updates installed. The underlying flaw traces back to CVE-2020-17103, which Microsoft believed it fixed in December 2020.
Did the GitHub and GitLab bans remove the exploit code?
The bans removed the researcher’s hosted copies, but the files had already been downloaded and mirrored before the takedowns. He has resumed distribution from a personal blog, so the code remains publicly available.
What is supposed to happen on July 14?
The researcher posted a dated threat against Microsoft tied to mid-July, which aligns with that month’s Patch Tuesday, and warned he could escalate to remote code execution flaws. He said no new disclosure was planned for June, though he left room to change course.
Microsoft 365 Copilot Auto Install Puts Admin Defaults on Trial
Asahi Linux macOS 27 Warning Puts Dual Boot Access on Hold
The Blood of Dawnwalker Arrives on Xbox September 3 at $69.99
UBS Stays Bullish on Cloud Giants Despite $673 Billion in Capex
Xbox Games Showcase 2026: Start Time, Expected Games, What to Watch
Microsoft IQ Gives Enterprise AI Agents a Shared Memory
Modern Warfare 4 DMZ Returns with What the 2022 Beta Was Missing
RuneScape: Dragonwilds Hits Xbox With Play Anywhere Support
Silent Ransom Group Targets 100+ Law Firms Using Fake IT Calls
Satya Nadella Rebukes Scout VP Over ‘Make People Addicted’ Memo
Microsoft’s MAI Models Signal a Five-Year Bet on AI Independence
Microsoft Build 2026 Skips Windows 12 for the AI Bet That Counts
Call of Duty Warzone Delisted on Xbox One and PS4 June 4
Anthropic Hits $965B, and Microsoft Profits Either Way
Xbox Games Showcase 2026: Start Time, Expected Games, What to Watch
Modern Warfare 4 DMZ Returns with What the 2022 Beta Was Missing
Satya Nadella Rebukes Scout VP Over ‘Make People Addicted’ Memo
RuneScape: Dragonwilds Hits Xbox With Play Anywhere Support
UBS Stays Bullish on Cloud Giants Despite $673 Billion in Capex
Modern Warfare 4 Skips Day One Game Pass, Lands Oct 23
-
AZURE3 weeks agoMicrosoft’s MAI Models Signal a Five-Year Bet on AI Independence
-
NEWS4 weeks agoMicrosoft Build 2026 Skips Windows 12 for the AI Bet That Counts
-
NEWS4 weeks agoCall of Duty Warzone Delisted on Xbox One and PS4 June 4
-
AZURE4 weeks agoAnthropic Hits $965B, and Microsoft Profits Either Way
-
NEWS3 weeks agoXbox Games Showcase 2026: Start Time, Expected Games, What to Watch
-
NEWS3 weeks agoModern Warfare 4 DMZ Returns with What the 2022 Beta Was Missing
-
MICROSOFT 3653 weeks agoSatya Nadella Rebukes Scout VP Over ‘Make People Addicted’ Memo
-
NEWS3 weeks agoRuneScape: Dragonwilds Hits Xbox With Play Anywhere Support