Windows BitLocker zero-day gives access to protected drives, PoC released
Published: (May 13, 2026 at 12:37 PM EDT)
6 min read
Source: Bleeping Computer
Source: Bleeping Computer
A cybersecurity researcher has published proof‑of‑concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named **YellowKey** and **GreenPlasma**, which are a BitLocker bypass and a privilege‑escalation flaw, respectively.
Known as **Chaotic Eclipse** or **Nightmare Eclipse**, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot‑related issues in Windows.
The latest exploits follow the researcher’s previous disclosure of the [BlueHammer](https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/) (CVE‑2026‑33825) and [RedSun](https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/) (no identifier) local‑privilege‑escalation (LPE) zero‑day flaws, both of which began to be [exploited in the wild](https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/) shortly after being publicly disclosed.
As in previous cases, the researcher stated that the decision to publicly disclose the YellowKey and GreenPlasma vulnerabilities, along with guidance on how to leverage them, was driven by dissatisfaction with Microsoft’s handling of bug reports.
Chaotic Eclipse (or Nightmare‑Eclipse on GitHub) said that they will keep leaking exploits for undocumented Windows vulnerabilities, even promising “a big surprise” for the next Patch Tuesday.
---
## The YellowKey BitLocker bypass
The researcher says that **YellowKey** is a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025. It involves:
1. Placing specially crafted **FsTx** files on a USB drive **or** the EFI partition.
2. Rebooting into WinRE.
3. Triggering a shell by holding down the **CTRL** key.
> **Note:** The bypass should also work without external storage by copying the files directly to the EFI partition on the target drive.
According to Chaotic/Nightmare Eclipse, the spawned shell gains unrestricted access to the storage volume protected by BitLocker.
### Independent confirmation
* **Kevin Beaumont** confirmed that the YellowKey exploit is valid and agreed that BitLocker effectively has a backdoor. He recommended using a BitLocker **PIN** and a **BIOS password** as mitigations.
*Source: [Kevin Beaumont’s post](https://infosec.exchange/@GossiTheDog@cyberplace.social/116565662576692726).*
* In an update, Chaotic Eclipse said that “the real root cause is still **unknown** to the general public” and that the vulnerability is exploitable even in a TPM + PIN environment. However, the PoC for this configuration has **not** been released.
> “I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden,” the researcher wrote.
> — [Researcher’s blog post](https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html)
> “No, TPM + PIN does not help; the issue is still exploitable regardless. I asked myself this question: can it still work in a TPM + PIN environment? **Yes**, it does. I’m just not publishing the PoC; I think what’s out there is already bad enough.”
### Confirmation from Tharros Labs
**Will Dormann**, principal vulnerability analyst at Tharros Labs, also confirmed the exploit:
* He reproduced the YellowKey exploit using the FsTx files on a USB drive but could **not** reproduce the bug using the EFI partition.
*Source: [Will Dormann’s post](https://infosec.exchange/@wdormann/116565129854382214).*
* Dormann explained to BleepingComputer:
> “YellowKey exploits NTFS transactions in combination with the Windows Recovery image. This PIN prompt happens before Windows Recovery is entered.”
He clarified the exploit process:
> *To boot Windows Recovery, Windows looks for `\System Volume Information\FsTx` directories on attached drives and will replay any NTFS logs.*
> *The result is that `X:\Windows\System32\winpeshl.ini` is deleted, and when Windows Recovery is entered, instead of launching the actual recovery environment, it pops up a `CMD.EXE` with the disk still unlocked.*
* By default, **TPM‑only BitLocker** configurations unlock encrypted drives automatically without requiring user interaction. If a system can transparently decrypt a disk for convenience, it is reasonable to expect that attackers may eventually find ways to abuse that process.
> “YellowKey is an example of an exploit for such a weakness,” Dormann said, noting that because it leverages the auto‑unlock feature on boot, the current YellowKey exploit **does not** work in a TPM + PIN environment.
* Testing YellowKey with a BitLocker‑protected drive must be performed on the original device, where the TPM stores the encryption keys. Consequently, Chaotic Eclipse’s current YellowKey exploit does **not** work with stolen drives but allows access to disks protected with TPM‑only BitLocker without needing credentials.
---
## The GreenPlasma exploit
**GreenPlasma** is a privilege‑escalation issue that could be exploited to obtain a shell with **SYSTEM** permissions. Chaotic Eclipse describes it as a “Windows **CTFMON** Arbitrary Section Creation Elevation of Privileges Vulnerability.”
* An unprivileged user can create arbitrary memory‑section objects within directory objects writable by SYSTEM, potentially allowing manipulation of privileged services or drivers that trust those locations.
* The leaked PoC is **incomplete** and lacks the component needed to achieve a full SYSTEM shell.
> **Status:** The exploit remains partially disclosed; further development would be required to turn it into a functional, fully‑privileged shell.
---
### References
* BlueHammer – CVE‑2026‑33825:
* RedSun – local privilege escalation:
* Exploited zero‑days in the wild:
* YellowKey repository:
* GreenPlasma repository:
* BitLocker TPM‑only documentation: Cleaned‑up Markdown
eless, "if you're smart enough, you can turn this into a full privilege escalation," Chaotic Eclipse says.
The disgruntled researcher added that the newly created section could be influenced to manipulate data and various services, including kernel‑mode drivers, into trusting specific paths that standard users cannot access.
**GreenPlasma demo**
*Source: GitHub*
While the exact circumstances that triggered Chaotic Eclipse's spree of exploit leaks remain unclear, the researcher has hinted at “a big surprise” for Microsoft on next month’s Patch Tuesday.
Additionally, they said that "Microsoft silently patched the RedSun vulnerability" and criticized the company for the hushed activity and not assigning an identifier for the vulnerability, as was the case with BlueHammer.
BleepingComputer has contacted Microsoft for a comment on Chaotic Eclipse’s latest exploit leaks, and a spokesperson stated that the company is committed to investigating reported security issues, **“and update impacted devices to protect customers as soon as possible.”**
> "We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community," a Microsoft spokesperson told BleepingComputer.
---
[99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0)
AI chained four zero‑days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the **Autonomous Validation Summit** (May 12 & 14), see how autonomous, context‑rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
[Claim Your Spot](https://hubs.li/Q04crVgD0)What was fixed
- Proper Markdown image syntax for the GreenPlasma demo and the article image.
- Added a horizontal rule (
---) to separate the main article from the promotional block. - Wrapped the Microsoft quote in a blockquote for readability.
- Cleaned up stray spaces, tabs, and empty lines.
- Ensured consistent heading/strong formatting and bullet‑point style.
- Preserved all original content and links.