Three publicly disclosed, unpatched Windows vulnerabilities give attackers a potential path to take control of Windows systems across your environment before Microsoft has issued a fix. Because Windows is foundational infrastructure in most enterprises, successful exploitation could disrupt operations, enable ransomware deployment, or give an attacker persistent access to sensitive data and internal systems. The absence of patches combined with public disclosure means the window between attacker awareness and your ability to remediate is open and widening with each day.
You Are Affected If
You run Microsoft Windows (any version) on endpoints, servers, or infrastructure — specific affected versions are unconfirmed; treat all Windows deployments as potentially in scope until MSRC narrows scope
Any Windows system in your environment is accessible from the internet or from untrusted network segments
You have not applied out-of-band patches or mitigations from Microsoft MSRC for YellowKey, GreenPlasma, or MiniPlasma (none currently available — monitor MSRC for release)
Users or service accounts on Windows systems hold more privileges than their role requires, increasing the impact of any privilege escalation exploitation
Your vulnerability management process tracks only CVE-assigned vulnerabilities, leaving researcher-disclosed zero-days without assigned CVEs outside your normal monitoring workflow
Board Talking Points
A researcher has publicly released details of three unpatched Windows security flaws — Microsoft has not yet issued fixes, leaving every Windows system in the organization potentially exposed.
Security operations should immediately increase monitoring on Windows systems and be prepared to deploy emergency patches as soon as Microsoft releases them, with a target of 24-48 hours from release.
Without patches available, the organization's primary protection is detection — if these flaws are exploited before a fix arrives, the damage could range from data theft to full operational disruption.
