Researcher Drops YellowKey, GreenPlasma Windows Zero-Days
A disgruntled security researcher publicly disclosed two Windows zero-days: YellowKey, a BitLocker bypass, and GreenPlasma, a privilege escalation to System, with no patches available.
A disgruntled security researcher known as Chaotic Eclipse has publicly disclosed two zero-day vulnerabilities in Windows: YellowKey, a BitLocker bypass, and GreenPlasma, a privilege escalation to System. The researcher published proof-of-concept (PoC) code on Tuesday, raising alarms across the security community. No patches are currently available from Microsoft, and the researcher has suggested that the BitLocker bypass may stem from an intentional backdoor.
YellowKey exploits a component in the Windows Recovery Environment (WinRE) to grant physical attackers full access to BitLocker-protected volumes. The attack chain involves copying a PoC folder to a USB drive, rebooting into WinRE by holding Shift while clicking Restart, then pressing Ctrl to spawn a command prompt with access to the protected volume. The researcher claims the underlying component is not present elsewhere on the internet and is suspiciously absent from normal Windows installations, hinting at a possible backdoor.
Several security researchers, including Kevin Beaumont, KevTheHermit, and Will Dormann, have confirmed the exploit works on recent Windows 11 builds. Chaotic Eclipse warned that YellowKey also works on devices protected with a TPM PIN, though the PoC for that bypass was withheld. The exploit echoes a decade-old Windows vulnerability that allowed BitLocker bypass by holding Shift+F10 during feature updates.
The second zero-day, GreenPlasma, allows attackers to elevate privileges to System by creating arbitrary memory section objects in any directory writable by System. The PoC code is stripped of the full System shell code, but security experts warn it could be weaponized quickly. "Even with limitations around the current proof-of-concept, any path toward System-level privileges deserves close scrutiny," said Joshua Roback of Swimlane.
Corsica Technologies CISO Ross Filipek noted that public zero-day releases shrink the window between discovery and exploitation. "YellowKey and GreenPlasma expose two different but connected concerns: access to protected data and the potential for privilege escalation," he said. The researcher previously published PoC for BlueHammer, a Windows Defender flaw patched in April, which was exploited before fixes were rolled out.
Microsoft responded to a SecurityWeek inquiry, stating: "Microsoft is aware of the purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services." The company emphasized its commitment to coordinated vulnerability disclosure but has not yet announced a patch timeline.
The disclosure highlights ongoing tensions between security researchers and Microsoft over vulnerability handling. With PoC code publicly available, organizations should prepare for potential exploitation, especially given the physical access requirement for YellowKey and the privilege escalation vector of GreenPlasma.
The researcher, operating under the handle Nightmare Eclipse, has now disclosed a total of six zero-days over six weeks, adding YellowKey, GreenPlasma, and MiniPlasma to the earlier BlueHammer, RedSun, and UnDefend flaws. While Microsoft has patched BlueHammer (CVE-2026-33825) and appears to have quietly fixed RedSun, the remaining vulnerabilities remain unpatched. Notably, MiniPlasma exploits CVE-2020-17103, a Cloud Files Mini Filter Driver flaw that Microsoft supposedly patched in 2020 but whose original proof-of-concept still works on fully updated Windows 11 systems, according to LevelBlue analysis.