Two of the six zero-days in Microsoft’s June 2026 Patch Tuesday operate differently from the remote code execution cluster — they attack Windows security boundaries at the local level. CVE-2026-50507 (“YellowKey”) bypasses BitLocker full-disk encryption pre-boot authentication, and CVE-2026-45586 (“GreenPlasma”) escalates local privilege through the Windows Text Services Framework. Both appear in post-exploitation toolchains used in targeted attacks.
CVE-2026-50507: BitLocker Security Feature Bypass (“YellowKey”)
CVSS 6.8 (Medium — lower score due to physical access requirement). Publicly disclosed zero-day. No patch-blocking workaround exists; requires the June 2026 cumulative update.
BitLocker is the Windows full-disk encryption feature that protects data on Windows devices if the device is lost or stolen. In the standard enterprise deployment, BitLocker uses a TPM chip to seal the encryption key — the key is released automatically when the measured boot sequence matches expectations (verified BIOS, bootloader, and OS). In PIN or USB key mode, BitLocker requires user authentication before releasing the encryption key.
CVE-2026-50507 exploits a flaw in BitLocker’s boot measurement validation to bypass pre-boot authentication — the attacker can present a crafted boot environment that causes BitLocker to release the encryption key without the required PIN or USB key, gaining access to the encrypted drive’s contents.
Required conditions:
- Physical access to the device
- Device is in BitLocker-protected state (not already decrypted and running)
- BitLocker is configured in TPM-only mode (no PIN or USB key required for boot) — common in enterprise deployments where user convenience is prioritised
Who is at risk: Organisations with laptop fleets protected only by TPM-bound BitLocker (no PIN). Device theft — targeted theft of an executive laptop or a lost device — is the exploitation scenario. The attacker does not need to know the Windows login password; the BitLocker bypass gives access to the raw disk contents.
Mitigation beyond the patch: Enable BitLocker TPM+PIN authentication for all mobile devices in the enterprise fleet. TPM+PIN requires the user to enter a PIN before the TPM releases the BitLocker key, meaning physical access alone is insufficient. The additional friction of a PIN at boot is minimal compared to the risk profile for mobile devices carrying executive email, corporate documents, or access credentials.
Scope: BitLocker is most relevant for laptops and mobile endpoints. Fixed desktop devices in physically secured locations are at low risk from this specific vulnerability.
CVE-2026-45586: Windows CTFMON Privilege Escalation (“GreenPlasma”)
CVSS 7.8 (High). Publicly disclosed zero-day. Observed in post-exploitation toolkits.
Windows CTFMON (CTF Monitor) is a component of the Windows Text Services Framework — the subsystem that handles text input for IME (Input Method Editors), handwriting recognition, and speech recognition. It runs in the context of the logged-in user and interfaces with the Windows session infrastructure.
CVE-2026-45586 is a vulnerability in CTFMON’s inter-process communication handling that allows a locally authenticated user to trick the CTFMON service into executing attacker-controlled code with SYSTEM privilege — a local privilege escalation from any user account to SYSTEM.
Exploitation context: This is a local privilege escalation, not a remote exploit. It requires an existing user-level session on the target machine. In the attack chain context:
- Attacker gains user-level code execution via phishing, browser exploit, or other initial access
- CVE-2026-45586 escalates from standard user to SYSTEM, enabling UAC bypass, credential extraction via LSASS, and persistence establishment
- From SYSTEM on a domain-joined machine, the attacker can request Kerberos tickets for all accessible services and typically pivot laterally
“GreenPlasma” is the researcher-assigned name from the security researcher who disclosed this to Microsoft, following the tradition of naming publicly known zero-days. It appears in at least two commercially distributed post-exploitation frameworks where its public disclosure predates the patch.
Remediation: The June 2026 cumulative update patches both CVE-2026-50507 and CVE-2026-45586. For CVE-2026-45586, there is no practical workaround other than the patch — disabling CTFMON breaks text input services. For CVE-2026-50507, enabling BitLocker TPM+PIN is both a workaround and a lasting security improvement regardless of patch status.
Share this article