Full Report
Each vulnerability was published with working proof-of-concept code to the Microsoft-owned code repository GitHub, making them immediately available to both attackers and security professionals.
Analysis Summary
# Vulnerability: Multiple Windows Zero-Day Disclosures (Nightmare Eclipse Campaign)
## CVE Details
- **CVE ID:** CVE-2026-33825 (BlueHammer), CVE-2026-45498 (UnDefend), CVE-2026-41091 (RedSun), CVE-2026-45585 (YellowKey)
- **CVSS Score:** Not explicitly listed in article (Severity: High/Critical based on active exploitation and CISA KEV inclusion)
- **CWE:** Not specified (Techniques involve Windows system-level flaws)
## Affected Systems
- **Products:** Microsoft Windows Operating Systems
- **Versions:** Specific versions not detailed in the article, but characterized as impacting current Windows ecosystem.
- **Configurations:** Default Windows installations; specific configurations for the "Plasma" series vulnerabilities remain unconfirmed due to lack of vendor advisories.
## Vulnerability Description
This summary covers a series of six zero-day vulnerabilities released by a researcher known as "Nightmare Eclipse." The flaws are a mix of privilege escalation and remote code execution vulnerabilities within the Windows architecture. Three of these (BlueHammer, UnDefend, and RedSun) involve flaws already integrated into cyberattack campaigns. The remaining three (YellowKey, GreenPlasma, and MiniPlasma) are recently disclosed and target undocumented components within the Windows kernel or system services.
## Exploitation
- **Status:**
- **CVE-2026-33825, CVE-2026-45498, CVE-2026-41091:** Exploited in the wild (Included in CISA KEV).
- **YellowKey, GreenPlasma, MiniPlasma:** PoC available (GitHub), no confirmed exploitation yet.
- **Complexity:** Low (Working PoC code is publicly available).
- **Attack Vector:** Network / Local (Depending on the specific CVE).
## Impact
- **Confidentiality:** High (Full system access in exploited cases)
- **Integrity:** High (Ability to modify system files and security settings)
- **Availability:** High (Potential for system instability or ransomware deployment)
## Remediation
### Patches
- **CVE-2026-33825, CVE-2026-45498, CVE-2026-41091:** Patches are available through Windows Update. Users should ensure they are running the latest security builds from April/May 2026.
- **YellowKey, GreenPlasma, MiniPlasma:** **No patches available** as of the publication date. Researchers expect potential fixes in the July 14, 2026 Patch Tuesday cycle.
### Workarounds
- Restrict administrative privileges for standard users to mitigate local privilege escalation.
- Implement strict application whitelisting to prevent the execution of PoC binaries.
- Monitor for unusual GitHub-sourced executable activity within the environment.
## Detection
- **Indicators of Compromise:** Look for unauthorized modifications to system binaries and registry keys associated with the "BlueHammer" and "RedSun" exploits.
- **Detection methods and tools:**
- Use EDR (Endpoint Detection and Response) tools to flag the execution of known PoC code from the Nightmare Eclipse GitHub repository.
- Audit CISA’s Known Exploited Vulnerabilities (KEV) catalog for updated behavior patterns.
## References
- **Vendor Advisories:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/
- **Specific CVE Links:**
- hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-33825
- hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45498
- hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-41091
- hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45585