A cybersecurity researcher, known in the community as Chaotic Eclipse or Nightmare Eclipse, has recently unveiled proof-of-concept (PoC) exploits for two significant unpatched vulnerabilities in Microsoft Windows, dubbed YellowKey and GreenPlasma. The former is a BitLocker bypass, while the latter is a privilege-escalation flaw. The researcher describes the BitLocker bypass as functioning akin to a backdoor, as the vulnerable component exists solely within the Windows Recovery Environment (WinRE), which is typically utilized for addressing boot-related issues in Windows.
This latest disclosure follows the researcher’s earlier revelations regarding the BlueHammer (CVE-2026-33825) and RedSun (identifier not assigned) local privilege escalation flaws, both of which were quickly exploited in the wild after their public announcement. Chaotic Eclipse has expressed dissatisfaction with Microsoft’s response to bug reports, which has motivated the decision to publicly disclose the YellowKey and GreenPlasma vulnerabilities, along with guidance on their exploitation.
The YellowKey BitLocker bypass
According to Chaotic Eclipse, the YellowKey vulnerability impacts Windows 11 and Windows Server 2022/2025. The exploit involves placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell by holding down the CTRL key. Notably, the BitLocker bypass can also function without external storage by copying the files directly to the EFI partition on the target drive.
Once executed, the spawned shell reportedly gains unrestricted access to the storage volume protected by BitLocker. Independent security researcher Kevin Beaumont has validated the YellowKey exploit, asserting that it indeed reveals a backdoor in BitLocker. He advises users to implement a BitLocker PIN and a BIOS password as a precautionary measure.
In a recent update, Chaotic Eclipse remarked that “the real root cause is still not unknown [sic] by the general public,” emphasizing that the vulnerability remains exploitable even in a Trusted Platform Module (TPM) and PIN environment, although the exploit for this particular version has not yet been released. The researcher expressed skepticism regarding the timeline for Microsoft’s Security Response Center (MSRC) to identify the true root cause of the issue, stating, “I just never managed to understand why this vulnerability is sooo well hidden.”
Will Dormann, a principal vulnerability analyst at Tharros Labs, confirmed that the YellowKey exploit works with FsTx files on a USB drive but could not replicate the bug using the EFI partition. He elaborated that the exploit leverages NTFS transactions in conjunction with the Windows Recovery image, where a PIN prompt occurs prior to entering Windows Recovery. Dormann explained that when Windows Recovery is initiated, it searches for System Volume InformationFsTx directories on connected drives, replaying any NTFS logs, which leads to the deletion of the X:WindowsSystem32winpeshl.ini file. Consequently, rather than launching the actual Windows Recovery environment, a CMD.EXE window appears, with the disk remaining unlocked.
By default, TPM-only BitLocker configurations automatically unlock encrypted drives without requiring user interaction. This convenience raises concerns that attackers may exploit such processes. Dormann noted, “YellowKey is an example of an exploit for such a weakness,” clarifying that the current exploit does not function in a TPM+PIN environment. Testing the YellowKey exploit must be conducted on the original device where the TPM stores the encryption keys, meaning it does not work with stolen drives but allows access to disks protected by TPM-only BitLocker without needing credentials.
The GreenPlasma exploit
GreenPlasma represents a privilege escalation vulnerability that could enable an attacker to obtain a shell with SYSTEM permissions. Chaotic Eclipse characterizes it as a “Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability.” An unprivileged user can create arbitrary memory-section objects within directory objects that are writable by SYSTEM, potentially allowing manipulation of privileged services or drivers that trust those locations.
While the leaked PoC is incomplete and lacks the necessary components for achieving a full SYSTEM shell, Chaotic Eclipse asserts that “if you’re smart enough, you can turn this into a full privilege escalation.” The researcher indicated that the newly created section could be manipulated to influence data and various services, including kernel-mode drivers, to trust specific paths inaccessible to standard users.
Source: GitHub
The motivations behind Chaotic Eclipse’s recent series of exploit leaks remain somewhat ambiguous, although the researcher has hinted at an impending “big surprise” for Microsoft on the next Patch Tuesday. Furthermore, they criticized Microsoft for silently patching the RedSun vulnerability without assigning an identifier, contrasting it with the more transparent handling of the BlueHammer flaw.
In response to inquiries regarding the latest exploit leaks, a Microsoft spokesperson reaffirmed the company’s commitment to investigating reported security issues and updating impacted devices promptly to protect customers. They also emphasized support for coordinated vulnerability disclosure, a practice aimed at ensuring thorough investigation and resolution of issues before public disclosure, thereby benefiting both customer protection and the security research community.
