New Windows Zero-Day Vulnerabilities Uncover BitLocker Bypass and CTFMON Privilege Escalation
An anonymous cybersecurity researcher, known by the aliases Chaotic Eclipse and Nightmare-Eclipse, has unveiled two critical zero-day vulnerabilities affecting Windows systems. These vulnerabilities, named YellowKey and GreenPlasma, pose significant security risks by enabling unauthorized access and privilege escalation.
YellowKey: A Backdoor to BitLocker
YellowKey is a vulnerability that allows attackers to bypass BitLocker encryption, effectively rendering the security measure ineffective. This flaw is present exclusively in the Windows Recovery Environment (WinRE), a tool designed to troubleshoot and repair unbootable operating systems.
The exploit targets Windows 11 and Windows Server 2022/2025. By placing specially crafted FsTx files on a USB drive or the EFI partition, an attacker can insert the USB into a BitLocker-protected Windows machine, reboot into WinRE, and initiate a command shell by holding down the CTRL key.
The researcher expressed astonishment at the discovery, stating, I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden. They also noted that the exploit remains viable even with TPM+PIN configurations.
Security expert Will Dormann corroborated the vulnerability, explaining that Transactional NTFS features on a USB drive can delete the winpeshl.ini file on another drive, leading to an unlocked BitLocker state and a command prompt instead of the expected recovery environment.
GreenPlasma: Elevating Privileges via CTFMON
The second vulnerability, GreenPlasma, involves privilege escalation through the Windows Collaborative Translation Framework (CTFMON). This flaw allows an unprivileged user to create arbitrary memory section objects within directories writable by SYSTEM, potentially enabling manipulation of privileged services or drivers.
The proof-of-concept (PoC) provided by the researcher is incomplete, lacking the necessary code to achieve a full SYSTEM shell. However, it demonstrates the potential for significant security breaches if exploited.
Context and Implications
These revelations come shortly after the same researcher disclosed three other Microsoft Defender vulnerabilities—BlueHammer, RedSun, and UnDefend—citing dissatisfaction with Microsoft’s vulnerability disclosure process. While BlueHammer has been officially patched (CVE-2026-33825), RedSun appears to have been addressed without public acknowledgment.
The researcher has hinted at further disclosures, stating, The fire will go as long as you want, unless you extinguish it or until there is nothing left to burn.
In response, Microsoft emphasized its commitment to investigating reported security issues and updating impacted devices promptly. The company supports coordinated vulnerability disclosure to ensure issues are thoroughly investigated and addressed before public disclosure.
BitLocker Downgrade Attack: A Related Concern
In a related development, French cybersecurity firm Intrinsec detailed an attack chain against BitLocker that exploits CVE-2025-48804 to bypass encryption on fully patched Windows 11 systems in under five minutes. This method involves downgrading the boot manager to load a malicious Windows Recovery Environment image, leading to a decrypted BitLocker volume.
Although Microsoft released fixes for this vulnerability in July 2025, the issue persists due to Secure Boot’s verification process, which only checks a binary’s signing certificate, not its version. Consequently, a vulnerable version of bootmgfw.efi signed with the trusted PCA 2011 certificate can still be used to circumvent BitLocker protections.
To mitigate this risk, it’s crucial to enable a BitLocker PIN at startup for preboot authentication and migrate the boot manager to the CA 2023 certificate, revoking the old PCA 2011 certificate.
Conclusion
The discovery of YellowKey and GreenPlasma underscores the ongoing challenges in securing Windows systems against sophisticated attacks. Users and administrators are advised to stay vigilant, apply available patches promptly, and implement recommended security measures to protect against these and other emerging threats.
