🔴 Nightmare-Eclipse just dropped a sixth Windows zero-day… and this one was supposed to be fixed in 2020

Six exploits in six weeks. This is one very determined researcher.

Nightmare-Eclipse published MiniPlasma on Monday. It’s a privilege escalation zero-day that gives any standard user full system-level access on fully patched Windows 11 machines running the latest May 2026 updates.

BleepingComputer, Will Dormann and ThreatLocker all confirmed it works. Barracuda

The flaw targets the Windows Cloud Filter driver, the component that handles OneDrive and cloud-backed file sync. It was originally reported to Microsoft by Google Project Zero researcher James Forshaw back in September 2020. Microsoft said they fixed it in December 2020. The original proof-of-concept code still works without modification.

No patch until June 10 at the earliest. In the meantime, Barracuda’s profile of this researcher, published yesterday, is worth reading.

• The exploits are linked to Russian-geolocated infrastructure

• The researcher has promised “a big surprise” for June Patch Tuesday

• And has deployed a dead man’s switch with more exploits set to release automatically if certain conditions are met

🟡 Microsoft just eliminated bulk enterprise discounts. And MSPs are losing midmarket deals because of it

Channel Dive published yesterday that Microsoft’s decision to remove bulk enterprise agreement discounts is creating significant channel conflict… and the midmarket is feeling it most. Channel Dive

Customers are shopping around. Deals that MSPs considered locked are being lost as clients find lower per-seat pricing through direct or alternative routes. The elimination of volume discounts means the price advantage that used to reward loyalty and consolidation is gone. And clients are noticing.

The practical question for MSPs with midmarket Microsoft customers: when did you last have a proactive conversation about licensing costs and value? If the answer is “at renewal,” that might be too late.

The MSPs holding those relationships through this shift are the ones having the conversation before the client starts shopping around.

🟢 A hidden 100MB partition nobody thinks about is breaking Windows updates across client estates

File this under “the most classic IT problem in existence”.

Microsoft confirmed this week that the May Windows 11 update (KB5089549) is failing to install on some machines with a cryptic error that rolls back at 35% completion.

The cause: the EFI System Partition, a tiny hidden boot partition that Windows actively conceals from users, is running out of space. OEM firmware updates and old deployment images have quietly filled it over the years on affected devices. When the partition hits 10MB or less of free space, the security update fails. BleepingComputer

The fix is already out. Microsoft pushed a Known Issue Rollback automatically to most consumer and unmanaged devices, so a restart resolves it on most affected machines. For managed enterprise fleets, there’s a Group Policy mitigation available.

But the underlying issue doesn’t go away with the rollback. Every time Microsoft does more work in the boot environment: Secure Boot certificates, BitLocker, TPM measurements… this hidden partition gets a little fuller.

Okay, that’s Wednesday done. Have a great day. We’ll be back in your inbox tomorrow morning.