Researcher Discloses Two Windows Zero-Days: BitLocker Bypass 'YellowKey' and CTFMON Privilege Escalation 'GreenPlasma'
An anonymous researcher has disclosed two new Windows zero-days — a BitLocker bypass affecting Windows 11 and Server 2022/2025, and a privilege escalation in the CTFMON framework — just weeks after publishing three Microsoft Defender vulnerabilities.
An anonymous cybersecurity researcher who previously disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days: a BitLocker bypass codenamed YellowKey and a privilege escalation in the Windows Collaborative Translation Framework (CTFMON) dubbed GreenPlasma.
The researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse, described YellowKey as "one of the most insane discoveries I ever found," likening the BitLocker bypass to functioning as a backdoor. The bug resides exclusively in the Windows Recovery Environment (WinRE), a built-in framework designed to troubleshoot and repair unbootable operating system issues.
YellowKey affects Windows 11 and Windows Server 2022/2025. At a high level, the exploit involves copying specially crafted "FsTx" files onto a USB drive or the EFI partition, plugging the USB drive into a target Windows computer with BitLocker protections enabled, rebooting into WinRE, and triggering a shell by holding down the CTRL key. The researcher noted that even TPM+PIN protection does not mitigate the vulnerability.
Security researcher Will Dormann independently reproduced the attack and shared his findings on Mastodon. "I was able to reproduce YellowKey with a USB drive attached," Dormann wrote, adding that "it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment." Dormann further emphasized that the ability of a `\System Volume Information\FsTx` directory on one volume to modify contents on another volume "in and of itself sounds like a vulnerability."
The second vulnerability, GreenPlasma, is a privilege escalation in Windows CTFMON that could allow an unprivileged user to create arbitrary memory section objects within directory objects writable by SYSTEM. This could potentially enable manipulation of privileged services or drivers that implicitly trust those paths. The released proof-of-concept is incomplete and lacks the code necessary to obtain a full SYSTEM shell.
These disclosures come nearly a month after the researcher published three Defender zero-days — BlueHammer, RedSun, and UnDefend — citing dissatisfaction with Microsoft's vulnerability disclosure process. While BlueHammer was assigned CVE-2026-33825 and patched by Microsoft last month, the researcher claims RedSun was "silently" addressed without an advisory. The researcher has promised a "big surprise" for Microsoft coinciding with the June 2026 Patch Tuesday.
In a separate but related development, French cybersecurity firm Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade exploiting CVE-2025-48804 (CVSS 6.8) to bypass encryption on fully patched Windows 11 systems in under five minutes. The attack exploits the fact that Secure Boot only verifies a binary's signing certificate, not its version, allowing an old, vulnerable boot manager signed with the trusted PCA 2011 certificate to be loaded. Microsoft plans to retire the PCA 2011 certificates next month.
Microsoft has now assigned CVE-2026-45585 to the YellowKey flaw and published an advisory with specific mitigation steps. The company recommends removing the autofstx.exe entry from the Session Manager's BootExecute value and reestablishing BitLocker trust for WinRE, as well as switching encrypted devices from TPM-only to TPM+PIN mode to block the attack. A permanent security update has not yet been released.
Microsoft has now released mitigation guidance for CVE-2026-45585 (YellowKey), advising administrators to either remove the autofstx.exe value from the Windows RE image hive or add a TPM+PIN protector to BitLocker. The company confirmed a permanent fix is in development but did not provide a timeline. NCSC Netherlands noted the vulnerability lies not in BitLocker's encryption itself but in the recovery environment, and vulnerability analyst Will Dormann confirmed the published PoC exploit works against default BitLocker configurations.
Microsoft has now assigned CVE-2026-45585 (CVSS 6.8) to the YellowKey BitLocker bypass and released mitigations that prevent the FsTx Auto Recovery utility (autofstx.exe) from automatically running during WinRE boot. The fix involves removing autofstx.exe from the WinRE registry hive and reestablishing BitLocker trust for WinRE, though the researcher claims the bypass also works on systems with TPM-plus-PIN protection.