Full Report
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. [...]
Analysis Summary
This report summarizes the details regarding two zero-day vulnerabilities, "YellowKey" and "GreenPlasma," disclosed by security researcher "Chaotic Eclipse" (aka Nightmare-Eclipse).
# Vulnerability: YellowKey BitLocker Bypass & GreenPlasma LPE
## CVE Details
- **CVE ID:** None assigned (Zero-day)
- **CVSS Score:** N/A (Estimated **High/Critical** due to security feature bypass)
- **CWE:** CWE-287 (Improper Authentication) / CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Windows 11, Windows Server 2022, and Windows Server 2025.
- **Configurations:**
- **YellowKey:** Systems utilizing BitLocker with TPM-only protectors (default configuration).
- **GreenPlasma:** Standard Windows installations where `ctfmon.exe` is present.
## Vulnerability Description
**YellowKey (BitLocker Bypass):**
The flaw exploits how the Windows Recovery Environment (WinRE) handles NTFS transactions during boot. By placing specially crafted `FsTx` files on an attached USB drive or the EFI partition, an attacker can force WinRE to replay NTFS logs. This process results in the deletion of `X:\Windows\System32\winpeshl.ini`. When WinRE subsequently launches, it fails to load the standard recovery interface and instead spawns a Command Prompt (`cmd.exe`) with the drive already unlocked by the TPM.
**GreenPlasma (Privilege Escalation):**
Described as a "Windows CTFMON Arbitrary Section Creation" flaw. It allows an unprivileged user to create arbitrary memory-section objects within directory objects writable by the SYSTEM account. This can be used to manipulate privileged services or kernel-mode drivers into trusting memory locations they otherwise should not, leading to Local Privilege Escalation (LPE).
## Exploitation
- **Status:** PoC available; active public disclosure.
- **Complexity:** Medium (YellowKey requires specific file placement; GreenPlasma requires further development to reach full SYSTEM shell).
- **Attack Vector:**
- **YellowKey:** Physical / Adjacent (Requires physical access or ability to write to EFI/USB).
- **GreenPlasma:** Local.
## Impact
- **Confidentiality:** Total (Full access to encrypted drive data via YellowKey).
- **Integrity:** Total (Ability to modify system files and escalate privileges).
- **Availability:** High (Potential for system instability or data deletion).
## Remediation
### Patches
- **No official patches** are currently available for either vulnerability. Microsoft is reportedly investigating.
### Workarounds
- **For YellowKey:** Enable a **BitLocker PIN** and a **BIOS/UEFI password**. Using a PIN prevents the TPM from automatically unlocking the drive before the WinRE environment is triggered, effectively blocking the current public PoC.
- **General:** Limit physical access to sensitive devices and restrict the use of unauthorized USB media.
## Detection
- **Indicators of Compromise:** Presence of unexpected `FsTx` directories or files on the EFI partition or connected USB drives.
- **Detection Methods:** Monitor for unusual WinRE behavior, such as a command prompt appearing instead of the standard recovery UI. Audit system logs for unauthorized creation of memory section objects (for GreenPlasma).
## References
- **BleepingComputer Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
- **YellowKey PoC Repository:** hxxps[://]github[.]com/Nightmare-Eclipse/YellowKey
- **GreenPlasma PoC Repository:** hxxps[://]github[.]com/Nightmare-Eclipse/GreenPlasma
- **Researcher Technical Blog:** hxxps[://]deadeclipse666[.]blogspot[.]com/2026/05/were-doing-silent-patches-now-huh-also[.]html