Researcher Publishes PoC Exploits for Two Unpatched Windows Zero-Days: YellowKey and GreenPlasma
A cybersecurity researcher has released proof-of-concept exploits for two unpatched Windows zero-day vulnerabilities, including a BitLocker bypass that grants full access to encrypted drives and a privilege escalation flaw.
A cybersecurity researcher known as Chaotic Eclipse (or Nightmare Eclipse) has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities dubbed YellowKey and GreenPlasma. YellowKey is a BitLocker bypass that allows an attacker with physical access to unlock and read the contents of a BitLocker-protected drive without the decryption key. GreenPlasma is a privilege escalation vulnerability that can be used to obtain SYSTEM-level permissions on a fully patched Windows system.
The YellowKey exploit targets Windows 11 and Windows Server 2022/2025. It works by placing specially crafted 'FsTx' files on a USB drive or the EFI partition of the target system. When the machine boots into the Windows Recovery Environment (WinRE), the exploit triggers a command shell by holding down the CTRL key. This shell runs with full access to the BitLocker-protected volume, effectively bypassing the encryption.
Independent security researcher Kevin Beaumont confirmed that the YellowKey exploit is valid and described it as a backdoor in BitLocker. Will Dormann, principal vulnerability analyst at Tharros Labs, also verified the exploit and explained the technical mechanism: YellowKey abuses NTFS transactions in combination with the Windows Recovery image. When WinRE boots, it looks for FsTx directories on attached drives and replays NTFS logs, which results in the deletion of a critical configuration file and the launch of a command prompt instead of the recovery environment.
The exploit is most effective against systems using TPM-only BitLocker configurations, which automatically unlock the drive at boot without requiring a PIN. Dormann noted that the current PoC does not work with TPM+PIN setups because the PIN prompt occurs before WinRE is entered. However, the researcher behind YellowKey claims that the underlying vulnerability is exploitable even with TPM+PIN, though they have not released a PoC for that scenario. Importantly, the exploit requires physical access to the original device and does not work with stolen drives, as the TPM stores the encryption keys.
GreenPlasma is described as a 'Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability.' An unprivileged user can create arbitrary memory-section objects within directory objects writable by SYSTEM, potentially allowing manipulation of privileged services or drivers. The leaked PoC is incomplete and lacks the component needed to achieve a full SYSTEM shell, but the researcher claims it can be turned into a complete privilege escalation exploit by a skilled attacker.
Microsoft has not yet patched either vulnerability. The researcher stated that the public disclosure was driven by dissatisfaction with Microsoft's handling of bug reports and has promised 'a big surprise' for the next Patch Tuesday. BleepingComputer contacted Microsoft for comment, and a spokesperson said the company is committed to investigating reported security issues and updating impacted devices to protect customers. In the meantime, users are advised to use a BitLocker PIN and a BIOS password as a mitigation against the YellowKey exploit.
Microsoft has now released a mitigation for the YellowKey BitLocker bypass (CVE-2026-45585), which involves modifying the WinRE image to prevent the FsTx Auto Recovery Utility from automatically starting. The advisory also recommends switching from TPM-only to TPM+PIN protection to block the attack. The mitigation applies to Windows 11 and Server 2025 systems, and Microsoft confirmed awareness of the zero-day exploit.