An anonymous cybersecurity researcher has once again made headlines by disclosing two new zero-day vulnerabilities affecting Microsoft systems. These vulnerabilities, codenamed YellowKey and GreenPlasma, involve a BitLocker bypass and a privilege escalation issue within the Windows Collaborative Translation Framework (CTFMON). The researcher, known online as Chaotic Eclipse and Nightmare-Eclipse, previously revealed three vulnerabilities in Microsoft Defender, raising concerns about the company’s response to security threats.
Exploring YellowKey
YellowKey has been described by the researcher as “one of the most insane discoveries I ever found.” This BitLocker bypass operates as a backdoor, specifically within the Windows Recovery Environment (WinRE), which is designed to troubleshoot and repair unbootable operating system issues. The vulnerability impacts Windows 11 and Windows Server 2022/2025. Exploiting YellowKey involves a series of steps: copying specially crafted “FsTx” files to a USB drive or the EFI partition, connecting the USB to a Windows computer with BitLocker enabled, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
The researcher expressed skepticism about the speed at which Microsoft’s Security Response Center (MSRC) will identify the root cause of this vulnerability, stating, “I just never managed to understand why this vulnerability is sooo well hidden.” Furthermore, they clarified that using TPM+PIN does not mitigate the risk, as the vulnerability remains exploitable regardless of these protections.
Security researcher Will Dormann corroborated the findings on social media, noting, “I was able to reproduce [YellowKey] with a USB drive attached.” He elaborated that the Transactional NTFS bits on a USB drive could delete the winpeshl.ini file on another drive, leading to a cmd.exe prompt with BitLocker unlocked, rather than the expected Windows Recovery environment. Dormann emphasized the significance of this finding, suggesting that the ability of one volume to modify another’s contents is itself a vulnerability.
GreenPlasma and Privilege Escalation
The second vulnerability, GreenPlasma, pertains to privilege escalation, allowing an unprivileged user to obtain a shell with SYSTEM permissions. This issue arises from what has been termed Windows CTFMON arbitrary section creation. The proof-of-concept (PoC) for this exploit is currently incomplete, lacking the code necessary to achieve a full SYSTEM shell. However, it enables users to create arbitrary memory section objects within directory objects that are writable by SYSTEM, potentially allowing manipulation of trusted privileged services or drivers.
This latest disclosure follows the researcher’s earlier revelations of three Defender zero-days—BlueHammer, RedSun, and UnDefend—prompted by dissatisfaction with Microsoft’s vulnerability disclosure process. While BlueHammer has been assigned CVE-2026-33825 and patched, Chaotic Eclipse noted that Microsoft appears to have “silently” addressed RedSun without any formal advisory.
In a statement reflecting on the situation, the researcher remarked, “I hope you at least attempt to resolve the situation responsibly… The fire will go as long as you want, unless you extinguish it or until there’s nothing left to burn.” They also hinted at a “big surprise” for Microsoft, expected to coincide with the next Patch Tuesday release in June 2026.
Microsoft has previously stated its commitment to investigating reported security issues and updating affected devices promptly. The company supports coordinated vulnerability disclosure, which it believes is essential for ensuring thorough investigations and resolutions before public announcements.
BitLocker Downgrade Attack Uncovered
In a related development, French cybersecurity firm Intrinsec has detailed an attack chain against BitLocker that exploits a boot manager downgrade. This method leverages CVE-2025-48804, which has a CVSS score of 6.8, to bypass encryption protections on fully patched Windows 11 systems in under five minutes. Intrinsec explained that the boot manager loads the System Deployment Image (SDI) file and verifies the integrity of the legitimate WIM. However, by adding a second WIM with a modified blob table, attackers can boot from a controlled WIM while the boot manager checks the first legitimate one. This second WIM can contain a WinRE image infected with ‘cmd.exe,’ executing with the decrypted BitLocker volume.
Although Microsoft released fixes for this security defect in July 2025, researcher Cassius Garat highlighted a critical flaw: Secure Boot only verifies a binary’s signing certificate, not its version. This allows a vulnerable version of “bootmgfw.efi,” signed with the trusted PCA 2011 certificate, to bypass BitLocker safeguards. Microsoft plans to retire the old PCA 2011 certificates next month, but until then, even an outdated, vulnerable boot manager can be loaded without triggering an alert.
To mitigate these risks, it is crucial to enable a BitLocker PIN at startup for preboot authentication and to migrate the boot manager to the CA 2023 certificate while revoking the old PCA 2011 certificate.
