Connect with us

NEWS

CISA Sets June 3 Deadline for Two of Six Defender Zero-Days

Published

5 hours ago

on

Federal agencies have roughly 48 hours left to patch two actively exploited Microsoft Defender flaws before a June 3 deadline set by the Cybersecurity and Infrastructure Security Agency (CISA). Both bugs, code-named RedSun and UnDefend, already have a fix that shipped on May 21. The deadline exists because a remedy exists.

The harder problem sits outside that window. Three other Windows zero-days from the same researcher have no fix, no enforcement clock, and in one case no CVE identifier at all. The countdown everyone is racing covers the part of this campaign Microsoft has already closed.

The June 3 Deadline Covers Only the Flaws With a Fix

CISA added RedSun and UnDefend to its Known Exploited Vulnerabilities catalog (KEV, the federal list of bugs confirmed under active attack) on May 20. The listing triggered Binding Operational Directive 22-01 (BOD 22-01, the standing order that forces civilian agencies to remediate cataloged flaws on a fixed timetable), which set a 14-day window. That math lands on Tuesday.

RedSun, tracked as CVE-2026-41091, is a local privilege escalation bug. It abuses the way the Malware Protection Engine resolves symbolic links before reading files, letting a standard user climb to SYSTEM, the highest privilege level on a Windows machine. It carries a CVSS severity score of 7.8.

UnDefend, tracked as CVE-2026-45498, is quieter and arguably nastier in a breach. It forces a denial-of-service condition that stops Microsoft Defender from running, scoring a lower 4.0 but blinding the endpoint while an intruder works. Security firm Huntress documented the first real-world use in mid-April, when an attacker entered through a compromised FortiGate VPN account and then ran the exploits in sequence.

Both are fixed in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. Admins can confirm those build numbers inside Windows Security before the clock runs out. You can also cross-check the entries against the federal Known Exploited Vulnerabilities catalog to confirm the due date and the remediation guidance.

CISA June 3 Microsoft Defender patch deadline for Nightmare Eclipse Windows zero-days.
CISA June 3 Microsoft Defender patch deadline for Nightmare Eclipse Windows zero-days.

Six Disclosures, Three Without a Patch

The campaign began in early April, when the researcher operating as Nightmare Eclipse dropped BlueHammer (CVE-2026-33825). Microsoft patched that one in the April 14 Patch Tuesday, and its own CISA deadline passed in early May. What followed was a six-week run of six separate Windows exploits, released faster than Microsoft’s patch cadence could absorb them.

Three of the six now have shipped fixes. The other three do not, and that split is the whole story.

Exploit Identifier Type Status
BlueHammer CVE-2026-33825 Local privilege escalation Patched April 14
RedSun CVE-2026-41091 Defender engine elevation Patched May 21
UnDefend CVE-2026-45498 Defender denial-of-service Patched May 21
YellowKey CVE-2026-45585 BitLocker bypass Unpatched
GreenPlasma No CVE assigned CTFMON privilege escalation Unpatched
MiniPlasma Reuses CVE-2020-17103 Cloud Filter elevation Unpatched

Two of the three unpatched bugs were never given a CVE number, which means they sit outside the KEV catalog and outside the BOD 22-01 machinery that produced this week’s deadline. No identifier, no listing, no enforced clock. That gap is exactly why a federal patch deadline can feel reassuring while the most exposed surface stays open.

Why YellowKey and MiniPlasma Outrank the Patched Pair

The two cataloged flaws need local code already running on the box. The unpatched trio lowers that bar in ways that matter more to the people defending real fleets.

  • One bug bypasses full-disk encryption with about 60 seconds of physical access and a USB stick.
  • One bug revives a defect Microsoft says it fixed in 2020, and it still drops a SYSTEM shell on current builds.
  • One bug has no CVE and no patch, so there is nothing to track and nothing to install.

YellowKey Opens BitLocker With Physical Access

YellowKey, tracked as CVE-2026-45585, defeats BitLocker on systems that rely on the Trusted Platform Module (TPM, the chip that releases the disk key automatically at boot) without a PIN. It works through the Windows Recovery Environment, replaying an early-boot transaction tied to a file called autofstx.exe to reach a SYSTEM shell on an encrypted volume. No recovery key, no password. A lost laptop becomes a readable laptop.

MiniPlasma Revives a 2020 Patch

MiniPlasma is the one that should sting. It re-exploits a race condition in cldflt.sys, the Cloud Files filter driver that manages OneDrive placeholder files. James Forshaw of Google Project Zero first reported that defect in 2020, and Microsoft issued the original CVE-2020-17103 advisory and fix that December. The patch was either incomplete or quietly regressed. Will Dormann, principal vulnerability analyst at Tharros, and security vendor ThreatLocker confirmed the exploit still produces a SYSTEM shell on fully patched Windows 11 and Windows Server 2022 and 2025. Windows 10 is unaffected, which matters for anyone running a mixed fleet and deciding where to spend attention first.

GreenPlasma Has No CVE at All

GreenPlasma is a CTFMON privilege escalation flaw that lets an unprivileged user create arbitrary memory-section objects in directories the SYSTEM account trusts. It has no CVE and no patch. For an admin building a remediation ticket, there is literally nothing to reference and nothing to deploy.

What Admins Can Do Before a Patch Exists

The honest answer for three of these flaws is mitigation, not remediation. For the two cataloged bugs, verify the engine and platform builds in Windows Security and confirm they updated. For YellowKey, there is a manual hardening sequence that closes the WinRE path without waiting on Redmond.

  1. Run reagentc /disable to take the recovery environment offline.
  2. Mount the offline WinRE registry hive.
  3. Remove autofstx.exe from the BootExecute value under ControlSet001\Control\Session Manager.
  4. Run reagentc /enable to commit the change.
  5. Where policy allows, move BitLocker from TPM-only to TPM plus PIN, which defeats the physical-access angle outright.

For MiniPlasma, with no fix available, the practical defenses are detection-led: alert on Defender tampering, watch cldflt.sys registry activity, and treat any unexpected SYSTEM-level process as a signal worth chasing. If this sounds like a familiar shape, it is. The recovery environment has been a soft spot before, as the pattern set by an earlier Windows 11 recovery-environment bug and its emergency fix showed.

The July 14 Threat Pulls the Next Deadline Forward

Microsoft’s next scheduled chance to address the unpatched flaws is the June 9 Patch Tuesday. Whether YellowKey, GreenPlasma, and MiniPlasma make that cut is the question that actually governs risk for the back half of June.

The researcher has signaled a fresh release for July 14, aligning with that month’s Patch Tuesday, with a warning that the next round could escalate from privilege escalation to remote code execution. Microsoft has been trying to choke off distribution in the meantime: GitHub removed the repositories on May 23, and GitLab suspended the account days later. The code kept circulating through the researcher’s own blog anyway, a takedown story covered in more detail in our report on the Nightmare Eclipse zero-days that stayed live after the platform bans.

If the June 9 release patches the three open flaws, the campaign’s most dangerous surface finally closes and the July 14 threat becomes a smaller problem. If it does not, defenders spend five more weeks running manual mitigations against exploits that are already public, with a promised escalation waiting at the end of them.

Frequently Asked Questions

What is the CISA June 3 deadline for?

It applies only to two Microsoft Defender flaws, RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498), which CISA added to its Known Exploited Vulnerabilities catalog on May 20. Federal civilian agencies must apply the fixes within the 14-day window required by Binding Operational Directive 22-01.

How do I confirm my system has the RedSun and UnDefend fix?

Open Windows Security and check the engine versions. The patched builds are Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. If your numbers match or exceed those, the May 21 fix is installed.

Is there a patch for the YellowKey BitLocker bypass?

No. YellowKey (CVE-2026-45585) has no vendor fix yet. The interim mitigation is to disable the recovery environment, remove autofstx.exe from the BootExecute registry value, re-enable the recovery environment, and move BitLocker from TPM-only to TPM plus PIN where possible.

Does MiniPlasma affect Windows 10?

No. Testers confirmed MiniPlasma produces a SYSTEM shell on fully patched Windows 11 and Windows Server 2022 and 2025, but Windows 10 is not affected. That distinction is useful when prioritizing a mixed fleet.

When is the next Microsoft patch opportunity?

June 9 is the next scheduled Patch Tuesday and Microsoft’s first chance to address the three unpatched flaws. The researcher behind the campaign has separately signaled another release for July 14.

Related Topics:
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending