Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick — YellowKey zero-day exploit demonstrates an apparent backdoor
Source: Tom’s Hardware
Image credit: Getty Images
Background
Last month, security researcher Chaotic Eclipse (aka Nightmare‑Eclipse) published two zero‑day exploits, BlueHammer and RedSun, after their disclosure reports were allegedly dismissed by Microsoft’s security team. The researcher now claims two additional zero‑days: an extremely serious BitLocker exploit named YellowKey and a local privilege‑escalation exploit called GreenPlasma.
YellowKey Exploit
YellowKey can be triggered by copying a few files to a USB stick and rebooting into the Windows Recovery Environment (WinRE). The exploit then grants full access to a BitLocker‑protected drive. After a single use, the exploit files disappear from the USB stick, giving the appearance of a backdoor.
Look ma, no keys! (Image credit: Future)
Key points:
- Works on Windows Server 2022 and 2025, but not on Windows 10.
- Reportedly bypasses full TPM‑and‑PIN configurations, though a PoC for that scenario has not been published.
- The vulnerability is described as well‑hidden; the researcher claims they could have sold it but chose not to.
GreenPlasma Exploit
GreenPlasma does not yet have a complete proof‑of‑concept, but it is alleged to achieve local privilege escalation by manipulating the CTFMon process. The exploit places a crafted memory section object in any Windows Object Manager section writable by the SYSTEM user, bypassing normal access controls. This could allow an attacker to obtain full system‑level access, surpassing even administrator privileges.
Impact
- BitLocker Trust: The exploit undermines confidence in BitLocker for protecting drives on millions of machines worldwide, including home, enterprise, and government systems.
- Physical Theft Threat: While TPM‑bound keys normally prevent a drive taken from one machine (Alice) from being opened on another (Bob), YellowKey demonstrates that physical theft of a device can still lead to data compromise.
- Server Environments: GreenPlasma, if functional, could let a regular user gain control of a server and all associated data.
Current Status
- No official response from Microsoft regarding YellowKey or GreenPlasma at the time of writing.
- BlueHammer has been patched.
- The researcher claims Microsoft silently patched RedSun, though no official confirmation exists.