Windows BitLocker Zero-Day YellowKey Bypasses Encryption, PoC Released

A security researcher has published proof-of-concept exploits for two unpatched Microsoft Windows vulnerabilities called YellowKey and GreenPlasma. YellowKey functions as a BitLocker bypass, while GreenPlasma is a privilege-escalation flaw.

The researcher, known as Chaotic Eclipse or Nightmare Eclipse, describes the BitLocker issue as "functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE)," which repairs boot-related issues.

YellowKey BitLocker Bypass

YellowKey affects Windows 11 and Windows Server 2022/2025. The exploit involves placing specially crafted 'FsTx' files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell via the CTRL key.

According to the researcher, "the spawned shell gains unrestricted access to the storage volume protected by BitLocker." Security researcher Kevin Beaumont confirmed the exploit's validity and recommended using BitLocker PIN and BIOS password as mitigations.

The researcher notes that the vulnerability remains exploitable in TPM and PIN environments, though the proof-of-concept for that scenario has not been released publicly.

GreenPlasma Exploit

GreenPlasma is described as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability." The leaked proof-of-concept is incomplete but enables unprivileged users to create arbitrary memory-section objects within SYSTEM-writable directories.

Context: Previous Disclosures

This follows the researcher's earlier public disclosure of BlueHammer (CVE-2026-33825) and RedSun, both local privilege escalation flaws that were subsequently exploited in the wild.

The researcher attributed the public disclosure to dissatisfaction with Microsoft's bug report handling and promised additional exploit releases on future Patch Tuesdays.

Mitigations

Until Microsoft releases an official patch:

Enable BitLocker PIN in addition to TPM
Set a BIOS/UEFI password to prevent unauthorized boot device changes
Disable boot from external USB devices in BIOS settings
Monitor for unauthorized access to Windows Recovery Environment