Critical Windows Zero-Days Unveiled: BitLocker Bypass and System Privilege Escalation
A prominent anonymous cybersecurity researcher, known by the aliases Chaotic Eclipse and Nightmare-Eclipse, has once again shaken the foundations of Windows security. Following previous disclosures of three Microsoft Defender vulnerabilities, the researcher has now revealed two more critical zero-day flaws: a BitLocker bypass codenamed
YellowKey, and a privilege escalation affecting the Windows Collaborative Translation Framework (CTFMON), dubbed GreenPlasma.
YellowKey: The “Insane” BitLocker Backdoor
Chaotic Eclipse describes YellowKey as “one of the most insane discoveries I ever found,” likening the BitLocker bypass to a hidden backdoor. This alarming vulnerability is found exclusively within the Windows Recovery Environment (WinRE), a crucial built-in framework designed to diagnose and repair unbootable operating system issues. YellowKey poses a significant threat to Windows 11 and Windows Server 2022/2025 systems.
The exploit’s mechanism is deceptively simple yet devastatingly effective. It involves copying specially crafted “FsTx” files onto a USB drive or the EFI partition. An attacker then plugs this USB drive into a target Windows computer with BitLocker encryption active, reboots into WinRE, and triggers a command shell by holding down the CTRL key. This grants access to the system with BitLocker effectively unlocked.
The researcher expressed profound difficulty in understanding the root cause, stating, “I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden.” Furthermore, the exploit’s resilience is highlighted by the fact that “TPM+PIN does not help, the issue is still exploitable regardless.”
Independent verification by security researcher Will Dormann confirmed YellowKey’s potency. Dormann noted on Mastodon, “I was able to reproduce [YellowKey] with a USB drive attached,” observing that “Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.” Dormann further emphasized the broader implication: “While the TPM-only BitLocker bypass is indeed interesting, I think the buried lede here is that a System Volume InformationFsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability.”
GreenPlasma: Escalating Privileges via CTFMON
The second critical flaw, GreenPlasma, is a privilege escalation vulnerability that could allow an attacker to obtain a shell with SYSTEM permissions. This exploit leverages what’s described as “Windows CTFMON arbitrary section creation.” While the released proof-of-concept (PoC) is currently incomplete and lacks the full code for a complete SYSTEM shell, its potential is clear.
In its present form, GreenPlasma enables an unprivileged user to create arbitrary memory section objects within directory objects that are writable by SYSTEM. This could pave the way for manipulating privileged services or drivers that implicitly trust these paths, effectively bypassing standard user access restrictions.
A History of Discontent and Future Threats
These latest disclosures follow closely on the heels of Chaotic Eclipse’s previous release of three Microsoft Defender zero-days—BlueHammer, RedSun, and UnDefend—just a month prior. That earlier action was reportedly driven by dissatisfaction with Microsoft’s vulnerability disclosure process, and those initial shortcomings have since been actively exploited in the wild.
While Microsoft officially patched BlueHammer (CVE-2026-33825) last month, Chaotic Eclipse claims that RedSun was “silently” addressed without any official advisory. The researcher’s frustration is palpable: “I hope you at least attempt to resolve the situation responsibly, I’m not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer. The fire will go as long as you want, unless you extinguish it or until there nothing left to burn.”
Adding to the pressure, Chaotic Eclipse has promised a “big surprise” for Microsoft, timed to coincide with the next Patch Tuesday release in June 2026. Microsoft, when previously contacted for comment, reiterated its commitment to investigating reported security issues and updating impacted devices promptly, emphasizing its support for coordinated vulnerability disclosure.
Another BitLocker Threat: The Downgrade Attack
Compounding the BitLocker concerns, French cybersecurity firm Intrinsec recently detailed a separate, equally concerning attack chain. This method exploits CVE-2025-48804 (CVSS score: 6.8) to perform a boot manager downgrade, effectively bypassing BitLocker encryption on fully patched Windows 11 systems in under five minutes.
Intrinsec explained the principle: “the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM. However, when a second WIM is added to the SDI with a modified blob table, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (controlled by the attacker). This second WIM contains a WinRE image infected with ‘cmd.exe,’ which executes with the decrypted BitLocker volume.” Although Microsoft released fixes for this specific defect in July 2025, its discovery underscores the persistent challenges in securing full disk encryption.
For more details, visit our website.
Source: Link
Leave a comment