Anonymous Researcher Drops Two More Microsoft Zero-Days: YellowKey and GreenPlasma
An anonymous researcher has disclosed two new Microsoft zero-day vulnerabilities, YellowKey and GreenPlasma, just after Patch Tuesday, continuing a retaliatory campaign against the company.
An anonymous security researcher using the aliases Nightmare-Eclipse and Chaotic Eclipse has disclosed two new Microsoft zero-day vulnerabilities, YellowKey and GreenPlasma, just after Microsoft's monthly Patch Tuesday update. This marks the latest in a series of five zero-day bugs the researcher has exposed this year, following earlier disclosures of BlueHammer, RedSun, and UnDefend. The researcher, rumored to be a disgruntled former Microsoft employee, has been releasing exploit code and technical details since early April, allegedly in retaliation for a broken agreement.
YellowKey is a BitLocker bypass vulnerability that requires physical access to a Windows PC. The researcher provided files that must be loaded onto a USB drive; if the attacker completes the correct key sequence, they are granted an unrestricted shell on the BitLocker-protected machine. While physical access is a limiting factor, experts warn that BitLocker is Windows' last line of defense for stolen devices. Rik Ferguson, VP of security intelligence at Forescout, told The Register: "If the researcher's claim holds up, a stolen laptop stops being a hardware problem and becomes a breach notification."
GreenPlasma is a privilege escalation flaw that can provide SYSTEM access to an attacker. The researcher published partial exploit code, but in its current state it triggers a UAC consent prompt in default Windows configurations, meaning a silent exploit is still a work in progress. Gavin Knapp, cyber threat intelligence principal lead at Bridewell, warned that such elevation of privilege vulnerabilities are often weaponized during post-exploitation to enable credential harvesting, lateral movement, and ransomware deployment. Currently, there is no known mitigation for GreenPlasma, and experts urge patching when Microsoft addresses the issue.
YellowKey can be mitigated by implementing a BitLocker PIN and a BIOS password lock, according to Knapp. However, the researcher hinted that YellowKey may also act as a backdoor allegedly injected by Microsoft, though experts say this claim is impossible to verify based on available information. The researcher's previous disclosures, including RedSun and UnDefend, remain unfixed and have been actively exploited in real-world attacks, according to Huntress.
Ferguson described the exposure of YellowKey and GreenPlasma as part of an escalating, retaliatory campaign against Microsoft. The same blog post that announced these vulnerabilities warns of another Patch Tuesday surprise and hints at future RCE disclosures. The researcher claims to have a dead man's switch with more exploits ready to go. "This researcher has followed through on every prior threat," Ferguson said.
The ongoing leak of zero-day vulnerabilities poses significant risks to organizations relying on Microsoft products. With no patches available for GreenPlasma and only partial mitigations for YellowKey, security teams must remain vigilant and implement compensating controls where possible. The situation underscores the potential damage that can be caused by a single disgruntled insider with deep knowledge of a vendor's software.