Notebookcheck Logo

CISA gives Windows admins until June 3 to patch Nightmare Eclipse Defender flaws

Airiel view of Microsoft Redmond.
ⓘ Microsoft.com
Airiel view of Microsoft Redmond.
CISA's June 3 deadline for the two Nightmare Eclipse Defender zero-days is 48 hours away. YellowKey, GreenPlasma, and MiniPlasma remain unpatched, with GreenPlasma and MiniPlasma carrying no CVE assignment.
Business Windows Microsoft Hack / Data Breach Security

Federal agencies have until June 3 to apply fixes for two actively exploited Microsoft Defender vulnerabilities tied to the Nightmare Eclipse disclosure campaign. With that deadline 48 hours away, three additional Windows zero-days from the same researcher remain unpatched, and June 9 is the next opportunity Microsoft has to address them.

The saga began in early April when Nightmare Eclipse dropped BlueHammer (CVE-2026-33825), patched in the April 14 Patch Tuesday with its CISA deadline passing in early May. The current countdown is anchored by a separate CISA action on May 20, adding RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) to the Known Exploited Vulnerabilities catalog after Huntress confirmed active exploitation in real-world attacks. CISA mandated remediation under Binding Operational Directive 22-01 with a 14-day window.

What the patched flaws do

RedSun targets the Defender tiering engine to escalate privileges to SYSTEM. UnDefend triggers a denial-of-service condition in the Antimalware Platform, blinding Defender entirely and creating a window for ransomware deployment or lateral movement without triggering alerts.

Both are fixed in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. Verify those version numbers in Windows Security settings before June 3.

Three flaws with no patch

YellowKey (CVE-2026-45585) bypasses BitLocker on TPM-only systems via the Windows Recovery Environment, allowing physical access to unlock encrypted drives without a recovery key. GreenPlasma is a CTFMON privilege escalation flaw with no CVE and no patch. MiniPlasma re-exploits CVE-2020-17103 in cldflt.sys, a 2020 flaw whose patch was either incomplete or silently regressed.

ThreatLocker and Will Dormann confirmed it still produces a SYSTEM shell on fully patched Windows 11 and Windows Server 2022 and 2025. Windows 10 is unaffected, which matters for teams managing mixed fleets.

For YellowKey, run reagentc /disable, mount the offline WinRE registry hive, remove autofstx.exe from BootExecute under ControlSet001\Control\Session Manager, then run reagentc /enable to commit the change. Transition BitLocker from TPM-only to TPM+PIN wherever possible. 

Nightmare Eclipse has signalled a July 14 release targeting that month's Patch Tuesday.

Google LogoAdd as a preferred source on Google
Mail Logo

No comments for this article

Got questions or something to add to our article? Even without registering you can post in the comments!
No comments for this article / reply

static version load dynamic
Loading Comments
Comment on this article

Related Articles

Show more articles
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 06 > CISA gives Windows admins until June 3 to patch Nightmare Eclipse Defender flaws
Darryl Linington, 2026-06- 1 (Update: 2026-06- 1)