Summary
A researcher operating under the handle Chaotic Eclipse (also seen as Nightmare Eclipse) has dropped proof-of-concept code for two unpatched Microsoft Windows flaws, nicknamed YellowKey and GreenPlasma. YellowKey is a BitLocker bypass that yields unrestricted access to an encrypted volume by abusing a component that ships only inside the Windows Recovery Environment (WinRE), while GreenPlasma is a local privilege-escalation bug. Both are zero-days with no vendor fix available at the time of writing, and security researcher Kevin Beaumont has publicly confirmed that the BitLocker exploit works.
YellowKey: a WinRE-resident BitLocker bypass
According to the researcher, YellowKey behaves "like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE)" — the recovery layer Windows uses to fix boot problems. Because the weakness lives in WinRE rather than the normal OS, it sits outside the protections users typically rely on at runtime.
The bypass affects Windows 11 and Windows Server 2022/2025. The published exploit chain works as follows:
- Stage specially crafted
FsTxfiles on a USB drive or on the EFI system partition. - Reboot the target into the Windows Recovery Environment (WinRE).
- Trigger a shell using the CTRL key.
Once the shell is open, the researcher states that "the spawned shell gains unrestricted access to the storage volume protected by BitLocker" — effectively defeating full-disk encryption from a recovery context.
Notably, the researcher says the flaw is still exploitable in environments that pair a TPM with a PIN, although the proof-of-concept covering that specific scenario has not been made public. The PoC released so far targets the standard TPM-only configuration.
Kevin Beaumont independently validated the exploit and recommended combining a BitLocker PIN with a BIOS password as a stopgap defense.
GreenPlasma: CTFMON arbitrary section creation
The second bug, GreenPlasma, is described as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability." The leaked proof-of-concept is incomplete, but per the researcher it lets an unprivileged user create arbitrary memory-section objects inside SYSTEM-writable directories — a primitive that can be leveraged toward local privilege escalation.
Context: a pattern of public 0-day drops
This release follows the same researcher's earlier disclosures of two other local privilege-escalation flaws, BlueHammer (tracked as CVE-2026-33825) and RedSun, both of which were reportedly exploited in the wild after going public. Per the NVD entry, CVE-2026-33825 stems from "insufficient granularity of access control in Microsoft Defender [that] allows an authorized attacker to elevate privileges locally." Microsoft's advisory for the same identifier is published in the MSRC Security Update Guide.
The researcher attributes the decision to disclose publicly to frustration with how Microsoft handled the bug reports, and has signaled that further exploit releases will land on upcoming Patch Tuesdays.
Technical background
BitLocker normally seals a volume's encryption key to the system's measured boot state via the TPM, releasing it automatically once the boot chain verifies as unmodified. The recurring weakness in recovery-environment bypasses is that WinRE runs as a trusted, signed component of the boot path — so launching it does not, by itself, break the TPM's measurements and can leave the unlocked volume reachable. Layering a pre-boot PIN forces user-supplied entropy into the unlock, so an attacker who only controls boot media cannot silently obtain the key, which is why a BitLocker PIN is the strongest of the listed mitigations. A BIOS/UEFI password and disabling external boot devices raise the bar further by preventing an attacker from booting their own staged media in the first place.
Note: this section explains the general class of issue and does not assert implementation specifics about YellowKey beyond what the researcher disclosed.
Detection and mitigation
No official patch exists yet. Until Microsoft ships a fix, defenders should:
- Enable a BitLocker PIN in addition to TPM, so the volume cannot be unlocked from boot media alone.
- Set a BIOS/UEFI password to block unauthorized changes to the boot device order.
- Disable booting from external USB devices in BIOS/UEFI settings.
- Monitor for unauthorized access to the Windows Recovery Environment, since YellowKey's entry point is WinRE rather than the running OS.