Unconfirmed claims of three new Windows zero-day vulnerabilities, nicknamed YellowKey, GreenPlasma and MiniPlasma, are circulating in the wake of Microsoft’s latest Patch Tuesday releases, adding to a sense of continuous pressure on defenders even as vendors race to close actively exploited holes.
The codenames come from a security researcher who has been drip-feeding reports of alleged new Windows flaws over the past six weeks, describing them as zero-days for which no official patch is yet available. However, as of publication there are no entries for “YellowKey,” “GreenPlasma” or “MiniPlasma” in the U.S. National Vulnerability Database, and no corresponding identifiers in the Microsoft Security Update Guide. That absence suggests the bugs have not yet gone through the usual coordinated disclosure and CVE-assignment process, leaving enterprises with little authoritative guidance on their impact or exploitability.
The claims land against a backdrop of very real and well-documented Windows zero-days that have kept incident responders busy for months. In February 2026, Microsoft’s Patch Tuesday update closed more than 50 security issues, including six zero-day vulnerabilities that were already being exploited in the wild, according to Help Net Security. Those include security feature bypass flaws in the Windows Shell (CVE-2026-21510) and the MSHTML/Trident engine used by Internet Explorer on Windows (CVE-2026-21513), as well as elevation-of-privilege issues in Desktop Window Manager (CVE-2026-21519) and Remote Desktop Services (CVE-2026-21533), and a denial-of-service flaw in the Remote Access Connection Manager service (CVE-2026-21525).
That February wave followed a busy end to 2025. In November, Microsoft fixed 63 vulnerabilities, including an actively exploited Windows kernel race condition (CVE-2025-62215) that allowed local privilege escalation, along with critical remote code execution bugs in graphics components and the Windows Subsystem for Linux GUI, according to The Hacker News. December’s Patch Tuesday brought patches for 72 more flaws, among them a Windows Cloud Files Mini Filter Driver zero-day (CVE-2025-62221) that attackers were already exploiting to gain SYSTEM privileges, and remote code execution issues in GitHub Copilot for JetBrains (CVE-2025-64671) and Windows PowerShell (CVE-2025-54100), as detailed by Qualys and Malwarebytes. The U.S. Cybersecurity and Infrastructure Security Agency has since added CVE-2025-62221 to its Known Exploited Vulnerabilities Catalog, underscoring its practical impact.
For security teams, the contrast between rigorously documented zero-days like these and the loosely described YellowKey, GreenPlasma and MiniPlasma highlights a recurring challenge: separating verified, actionable threats from early-stage or speculative research. Without CVE identifiers, vendor advisories or independent technical write-ups, it is difficult to assess whether the newly named bugs represent imminent exploitation risk, variants of already patched issues, or research that may yet change significantly before any fixes are released.
In the meantime, defenders are being urged to focus on what is known and measurable. That means rapidly applying February and late-2025 Patch Tuesday updates, tightening controls around high-risk components such as Office, PowerShell and legacy browser engines, and monitoring for exploitation of catalogued issues like CVE-2025-62221 and CVE-2026-21510. Organizations should also watch for future mapping of the YellowKey, GreenPlasma and MiniPlasma labels to formal CVEs in the Microsoft Security Update Guide and NVD, and treat any zero-day branding without such backing as a cue for closer scrutiny rather than immediate panic.
