Windows Zero-Day 2026: Patch YellowKey & GreenPlasma Now

Three critical Windows zero-day vulnerabilities — codenamed YellowKey, GreenPlasma, and MiniPlasma — were patched by Microsoft on June 10, 2026, as part of its monthly Patch Tuesday update. These Windows zero-day vulnerabilities are severe: YellowKey and GreenPlasma allow attackers to escalate privileges to SYSTEM level on fully patched Windows machines, while MiniPlasma lets adversaries read data from BitLocker-encrypted drives — a protection millions of businesses, including Indian SMBs, rely on to secure sensitive data. If your Windows systems haven't received last night's patches, your business is exposed right now.

Originally reported by BleepingComputer.

What Happened

On June 10, 2026, Microsoft released fixes for three actively exploited zero-day vulnerabilities that had been quietly weaponised by threat actors before a patch even existed. These weren't theoretical research bugs discovered in a lab — they were in-the-wild exploits, meaning organised threat actors were already using them to break into organisations at the moment Microsoft's engineers were writing the patch.

YellowKey and GreenPlasma are privilege escalation vulnerabilities in core Windows components. An attacker who already has a foothold on your machine — through a phishing email, a compromised RDP session, or a malicious macro in an Excel file — can exploit either of these to silently elevate themselves to SYSTEM, the highest privilege level on any Windows machine. SYSTEM access means total control: read any file, disable security tools, install persistent backdoors, dump credential hashes from LSASS memory, and move laterally across your entire network.

MiniPlasma is arguably the most alarming of the three for businesses that rely on BitLocker for data-at-rest protection. BitLocker is widely deployed across laptops and servers in Indian enterprises and mid-market companies — Windows 11 Pro enables it by default on eligible hardware. MiniPlasma exploits a flaw in how Windows handles BitLocker's sealed key release process, allowing an attacker with physical or low-privilege logical access to read the contents of BitLocker-protected volumes without knowing the recovery key. For a stolen or lost laptop, this completely voids the encryption protection you thought you had.

Why This Matters for Indian Businesses

India runs on Windows. Walk into any chartered accountant's office, any logistics company, any regional NBFC, any manufacturing plant in Pune or Coimbatore — Windows desktops and servers are the backbone of operations. According to CERT-In data, over 70% of reported cyber incidents in Indian organisations involve Windows-based systems. These three zero-days are not a Western problem; they are a here-and-now problem for every unpatched Windows system in your office.

Under the DPDP Act (Digital Personal Data Protection Act, 2023), organisations processing personal data of Indian citizens are required to implement "reasonable security safeguards." Failing to patch a known, critical, actively-exploited vulnerability — especially one that voids encryption — would be extremely difficult to defend before the Data Protection Board in the event of a breach. CERT-In's 6-hour mandatory reporting mandate means that if your systems are breached via YellowKey or MiniPlasma today, you have a very narrow window to detect, contain, and notify — a window most unmonitored SMBs will miss entirely.

RBI-regulated entities — payment aggregators, NBFCs, cooperative banks, and prepaid instrument issuers — face additional exposure under the RBI Cybersecurity Framework, which mandates prompt patching of critical vulnerabilities and requires business continuity safeguards around encrypted storage. A successful MiniPlasma exploit against your document management server could mean encrypted customer KYC data is suddenly readable, triggering regulatory notification obligations on top of the CERT-In window.

Technical Breakdown

Understanding how these vulnerabilities chain together is critical for defenders. Here is how a skilled attacker weaponises all three in a single, realistic intrusion:

graph TD
    A[Phishing Email] -->|user opens macro| B[Low-Priv User Shell]
    B -->|YellowKey exploit| C[SYSTEM Privileges]
    B -->|GreenPlasma exploit| C
    C -->|LSASS credential dump| D[Domain Admin Hash]
    D -->|Pass-the-Hash lateral move| E[File Server or DC]
    C -->|MiniPlasma on device| F[BitLocker Key Unsealed]
    E -->|bulk data theft| G[C2 Exfiltration]
    F -->|decrypt protected volumes| G

Stage 1 — Initial Access: The attacker sends a targeted phishing email. The attachment contains a malicious Office macro or a weaponised PDF. When opened, it drops a low-privilege reverse shell — the attacker is inside but limited to standard user permissions.

Stage 2 — Privilege Escalation: The attacker executes a YellowKey or GreenPlasma exploit entirely in memory — no file dropped to disk, no signature for traditional antivirus to catch. The exploit targets a legitimate Windows kernel or user-mode component. Within seconds, the shell is running as SYSTEM.

Stage 3 — Credential Harvesting: With SYSTEM access, the attacker dumps LSASS process memory. Every user who has ever logged into this machine — including potentially domain administrators — has their NTLM hash extracted.

Stage 4 — Lateral Movement: Using Pass-the-Hash (PtH), the attacker authenticates to other machines on your network using stolen hashes. No password needed. The file server, accounting system, and backup server are now within reach.

Stage 5 — BitLocker Bypass (MiniPlasma): Simultaneously, on a stolen or physically accessed laptop, the attacker exploits MiniPlasma to unseal the BitLocker volume key. All encrypted files become readable without the recovery PIN or key.

In my years building enterprise security architecture for large organisations, I saw this exact pattern repeatedly: perimeter defences were airtight, but internal privilege escalation from a single compromised endpoint cascaded into full domain compromise within hours. The attack surface has not changed — the tools have just gotten faster.

Here is what you should be monitoring for in your Windows event logs right now:

# Detect anomalous SYSTEM-level process spawning from non-OS parent processes
# Run as Administrator on your Windows servers and endpoints
Get-WinEvent -LogName Security -FilterXPath `
  "*[System[EventID=4688] and EventData[Data[@Name='TokenElevationType']='%%1936']]" `
  | Select-Object TimeCreated, `
    @{N='Process';E={$_.Properties[5].Value}}, `
    @{N='Parent';E={$_.Properties[13].Value}} `
  | Where-Object { $_.Parent -notmatch 'services.exe|wininit.exe|svchost.exe' } `
  | Select-Object -First 30

# Also watch for LSASS access from unexpected processes (credential dumping indicator)
Get-WinEvent -LogName Security -FilterXPath `
  "*[System[EventID=4656] and EventData[Data[@Name='ObjectName'] and contains(.,\"lsass\")]]" `
  | Select-Object TimeCreated, Message | Select-Object -First 10

How to Protect Your Business

Quick Fix — Patch and Verify Right Now

# Step 1: Force-install all pending Windows Updates (run as Administrator)
Install-Module PSWindowsUpdate -Force -Scope CurrentUser -ErrorAction SilentlyContinue
Get-WindowsUpdate -Install -AcceptAll -AutoReboot

# Step 2: After reboot, verify June 2026 cumulative update is installed
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date).AddDays(-3) } |
  Sort-Object InstalledOn -Descending |
  Select-Object HotFixID, Description, InstalledOn

# Step 3: Audit BitLocker status on all drives
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus, EncryptionMethod

# Step 4: Enable LSASS Protected Process Light (PPL) to block credential dumping
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
  -Name "RunAsPPL" -Value 1 -Type DWord
Write-Host "LSASS PPL enabled. Reboot required to take effect." -ForegroundColor Green

# Step 5: Verify no BitLocker volumes are unprotected
$unprotected = Get-BitLockerVolume | Where-Object { $_.ProtectionStatus -eq 'Off' }
if ($unprotected) {
  Write-Warning "Unprotected volumes found: $($unprotected.MountPoint -join ', ')"
} else {
  Write-Host "All volumes are BitLocker protected." -ForegroundColor Green
}

Windows Zero-Day Vulnerabilities by the Numbers

pie showData
    title Microsoft June 2026 Patch Tuesday by Vuln Type
    "Privilege Escalation" : 38
    "Remote Code Execution" : 27
    "Security Feature Bypass" : 18
    "Information Disclosure" : 17

This month's Patch Tuesday fixed 67 total vulnerabilities, of which the three zero-days are the most critical. The distribution above is revealing: privilege escalation is the single largest category — 38% of all fixes. This is not a coincidence. Modern attackers have largely moved on from trying to achieve SYSTEM access remotely from the outside. They get inside as a low-privilege user through phishing or credential stuffing, then escalate. The battlefield has moved inward.

As someone who has reviewed hundreds of Indian SMB security postures over the past two years, the pattern I see most often is this: the company has a reasonable firewall and some email filtering, but zero visibility into what happens after an attacker gets past those layers. YellowKey and GreenPlasma are designed to exploit exactly that blind spot.

How Bachao.AI Detects This

Don't wait for a breach notice to find out you were exposed. Run a free VAPT scan right now — it takes under 5 minutes to start, requires no agent installation, and will tell you exactly which systems in your network are carrying vulnerabilities like these. Or explore the Bachao.AI blog for more actionable security guidance built specifically for Indian businesses.

Frequently Asked Questions

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.