A cybersecurity researcher known online as Chaotic Eclipse and Nightmare-Eclipse has publicly disclosed two new Windows zero-day vulnerabilities affecting BitLocker and the Windows Collaborative Translation Framework (CTFMON).
The newly revealed flaws, dubbed YellowKey and GreenPlasma, impact modern Windows systems and could allow attackers to bypass encryption protections or escalate privileges to SYSTEM-level access.
YellowKey: BitLocker Bypass Hidden in Windows Recovery Environment
The first vulnerability, codenamed YellowKey, targets the Windows Recovery Environment (WinRE), a built-in recovery platform designed to troubleshoot systems that fail to boot properly.
According to the researcher, the flaw affects:
- Windows 11
- Windows Server 2022
- Windows Server 2025
The attack reportedly works by placing specially crafted “FsTx” files onto either a USB drive or the EFI partition. An attacker then boots the target machine into WinRE while BitLocker protection is enabled. By holding the CTRL key during the recovery process, the exploit can reportedly trigger a command shell with access to the decrypted BitLocker volume.
The researcher described YellowKey as one of the most surprising vulnerabilities they have ever discovered, claiming the issue behaves almost like a hidden backdoor because it only exists within WinRE.
Even systems configured with TPM+PIN protection may still be vulnerable, according to the disclosure.
Security Researchers Successfully Reproduce the Exploit
Security researcher Will Dormann confirmed that the YellowKey exploit could be reproduced using a USB drive.
Dormann explained that specially crafted Transactional NTFS (TxF) files stored inside the \System Volume Information\FsTx directory can manipulate files on another mounted volume during the WinRE recovery process. In testing, the exploit was able to delete the winpeshl.ini file from the recovery environment, ultimately replacing the expected recovery interface with a command prompt running against an unlocked BitLocker partition.
Researchers believe the cross-volume behavior itself may represent a separate security vulnerability.
GreenPlasma Enables SYSTEM-Level Privilege Escalation
The second zero-day, called GreenPlasma, affects the Windows Collaborative Translation Framework (CTFMON) and enables privilege escalation.
The issue stems from arbitrary memory section creation within protected Windows directory objects. Although the publicly released proof-of-concept remains incomplete, the vulnerability could potentially allow attackers to manipulate trusted services or drivers and eventually obtain SYSTEM-level command execution.
At present, the exploit allows a low-privileged user to create memory section objects in locations normally writable only by SYSTEM processes.
Microsoft Under Pressure Following Earlier Defender Zero-Days
The disclosures arrive shortly after the same researcher released three Microsoft Defender zero-days known as:
- BlueHammer
- RedSun
- UnDefend
Among them, BlueHammer was assigned CVE-2026-33825 and patched by Microsoft last month.
However, the researcher claims RedSun was silently patched without a public advisory, further escalating tensions between the researcher and Microsoft regarding the company’s vulnerability disclosure process.
The researcher also hinted at additional disclosures planned around the June 2026 Patch Tuesday release.
Microsoft previously stated that it remains committed to investigating reported vulnerabilities and protecting customers through coordinated disclosure practices.
Intrinsec Reveals Separate BitLocker Downgrade Attack
In a related development, French cybersecurity company Intrinsec recently uncovered another BitLocker attack chain exploiting CVE-2025-48804.
The attack abuses a boot manager downgrade technique that can reportedly bypass BitLocker protections on fully patched Windows 11 systems in under five minutes.
Researchers explained that attackers can manipulate System Deployment Image (SDI) files and Windows Imaging Format (WIM) files during the boot process. Although the Windows boot manager verifies the legitimate WIM file, attackers can secretly load a second malicious WIM containing a modified WinRE image that launches cmd.exe with access to decrypted BitLocker volumes.
Secure Boot Limitations Create Additional Risk
Although Microsoft patched CVE-2025-48804 in July 2025, security researcher Cassius Garat noted that Secure Boot only validates signing certificates rather than software versions.
This means older vulnerable versions of bootmgfw.efi signed with the trusted PCA 2011 certificate can still be loaded successfully unless the certificate is revoked.
Microsoft plans to retire the older PCA 2011 certificates soon, but until revocation occurs, attackers with physical access to a device may still exploit outdated boot managers to bypass BitLocker protections.
Recommended Mitigations
Security experts recommend organizations take the following steps immediately:
- Enable BitLocker PIN authentication at startup
- Migrate systems to the newer CA 2023 boot certificates
- Revoke old PCA 2011 certificates
- Restrict physical access to sensitive systems
- Monitor WinRE-related activity and unauthorized USB usage
As Microsoft investigates the latest disclosures, the emergence of YellowKey and GreenPlasma highlights growing concerns around preboot security mechanisms and Windows recovery infrastructure.
