A cybersecurity researcher, operating under the aliases Chaotic Eclipse and Nightmare-Eclipse, has unveiled two new zero-day vulnerabilities impacting Microsoft Windows. These discoveries, codenamed YellowKey and GreenPlasma, follow the researcher’s earlier disclosure of three Microsoft Defender vulnerabilities. YellowKey reportedly allows for a bypass of BitLocker encryption, while GreenPlasma facilitates privilege escalation through the Windows Collaborative Translation Framework (CTFMON). The researcher has expressed dissatisfaction with Microsoft’s handling of previous disclosures, hinting at further revelations.
The latest findings come amid growing concerns about the security of Windows operating systems and their encryption protocols. The researcher described YellowKey as a particularly significant discovery, likening its functionality to a backdoor due to its presence within the Windows Recovery Environment (WinRE). This environment is designed for system repair and troubleshooting, making the exploit particularly insidious.
New Microsoft Windows Vulnerabilities: YellowKey and GreenPlasma Uncovered
YellowKey affects Windows 11 and Windows Server 2022/2025. The exploitation involves placing specially crafted “FsTx” files onto a USB drive or the EFI partition. When a target system with BitLocker enabled is rebooted into WinRE, holding down the CTRL key can trigger a command shell. The researcher indicated that identifying the root cause of YellowKey might be challenging for Microsoft, noting its deeply embedded nature. Furthermore, the bypass is reportedly effective even when TPM and PIN are used for BitLocker protection.
Security researcher Will Dormann corroborated the exploit’s behavior, stating that “Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.” Dormann also highlighted that the underlying mechanism, where a directory on one volume can modify another when replayed, could itself be considered a vulnerability.
The second vulnerability, GreenPlasma, presents a privilege escalation pathway. It stems from what is described as an arbitrary section creation flaw within Windows CTFMON. While the current proof-of-concept is not complete enough to achieve a full SYSTEM shell, it allows unprivileged users to create arbitrary memory section objects within directories writable by SYSTEM. This could potentially lead to the manipulation of privileged services or drivers that implicitly trust these locations.
These disclosures follow closely behind the researcher’s previous report of three Microsoft Defender zero-days: BlueHammer, RedSun, and UnDefend. BlueHammer was assigned CVE-2026-33825 and has reportedly been patched. However, the researcher claims that RedSun was addressed without an official advisory, fueling further frustration with Microsoft’s vulnerability management process. The researcher has alluded to a significant announcement planned for Microsoft’s June 2026 Patch Tuesday release.
A Microsoft spokesperson previously stated to The Hacker News that the company is committed to investigating reported security issues and protecting customers promptly. They emphasized their support for coordinated vulnerability disclosure processes to ensure thorough investigation and resolution before public release.
Related BitLocker Bypass Techniques and Mitigations
In related news, French cybersecurity firm Intrinsec has detailed an attack chain exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass BitLocker encryption on fully patched Windows 11 systems in under five minutes. This attack leverages a boot manager downgrade. The technique involves the boot manager loading a legitimate System Deployment Image (SDI) and its referenced WIM file while simultaneously booting from a second, attacker-controlled WIM containing a WinRE image with an injected cmd.exe.
While Microsoft released patches for this vulnerability in July 2025, security researcher Cassius Garat noted that Secure Boot primarily verifies a binary’s signing certificate, not its version. Therefore, a vulnerable, unpatched version of “bootmgfw.efi,” legitimately signed, could still be used to circumvent BitLocker. Intrinsec observed that continuing to use older, vulnerable boot managers signed with PCA 2011 certificates, even if not revoked, could still allow such attacks.
Microsoft is scheduled to retire older PCA 2011 certificates next month. To mitigate such risks, enabling a BitLocker PIN at startup for preboot authentication and migrating the boot manager to newer CA 2023 certificates are recommended steps. The attack detailed by Intrinsec requires physical access to the target machine.
The ongoing discoveries of these vulnerabilities highlight the persistent challenges in securing complex operating systems and encryption protocols. Users and organizations are advised to stay informed about security updates and implement recommended mitigation strategies to protect their systems. The ongoing dispute between the researcher and Microsoft, along with potential future disclosures, suggests that further developments in Windows security are likely in the coming months, particularly around the upcoming Patch Tuesday release in June 2026.