Answer Brief
A researcher published proof-of-concept exploits for two unpatched Windows vulnerabilities: YellowKey, a BitLocker bypass affecting Windows 11 and Server 2022/2025 via WinRE, and GreenPlasma, an incomplete privilege escalation flaw. The exploits work even in TPM-only BitLocker setups, highlighting risks in automatic decryption workflows.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Proof-of-concept exploits for YellowKey and GreenPlasma vulnerabilities published by researcher Chaotic Eclipse/Nightmare Eclipse
- 2
Independent security researcher Kevin Beaumont confirmed validity of YellowKey exploit
- 3
Will Dormann of Tharros Labs confirmed YellowKey exploit works with FsTx files on USB drive but could not reproduce via EFI partition
Executive Summary: A researcher published proof-of-concept exploits for two unpatched Windows vulnerabilities: YellowKey, a BitLocker bypass affecting Windows 11 and Server 2022/2025 via WinRE, and GreenPlasma, an incomplete privilege escalation flaw. The exploits work even in TPM-only BitLocker setups, highlighting risks in automatic decryption workflows.
Why It Matters
The release of proof-of-concept exploits for the YellowKey and GreenPlasma vulnerabilities represents a significant development in Windows security, particularly due to the nature of the BitLocker bypass. YellowKey targets a core data protection mechanism by exploiting the Windows Recovery Environment (WinRE), a trusted repair environment that automatically activates during boot failures. By manipulating NTFS transaction logs via specially crafted FsTx files on removable or embedded storage, the exploit tricks WinRE into launching a command shell instead of the legitimate recovery interface. This occurs after disk decryption but before user authentication, effectively granting attackers direct access to encrypted volumes without needing BitLocker keys, PINs, or TPM validation. The fact that this works in default TPM-only configurations—where BitLocker unlocks drives silently for convenience—undermines a common assumption that hardware-based encryption alone provides strong protection against physical or boot-level attacks. Technical analysis from independent researchers confirms the exploit’s mechanics. Will Dormann explained that Windows scans for \System Volume Information\FsTx directories on attached drives during boot to replay NTFS logs, a process intended for system recovery. YellowKey abuses this by causing the deletion of winpeshl.ini, the file responsible for launching the genuine WinRE shell. When this file is missing, Windows falls back to cmd.exe, providing an elevated command prompt with access to the decrypted disk. This chain relies on the automatic decryption feature of BitLocker, which, while improving usability, introduces a predictable timing window that attackers can leverage. The researcher’s claim that the flaw persists even with TPM+PIN suggests a deeper architectural issue in how WinRE interacts with storage stack components, though the public PoC does not yet demonstrate this variant. GreenPlasma, while less immediately impactful due to an incomplete PoC, adds concern as a privilege escalation vector. By enabling unprivileged users to create arbitrary memory-section objects in SYSTEM-writable directory objects, it risks subverting trusted services or drivers that rely on those locations for configuration or code loading. Although the current exploit lacks the final step to achieve SYSTEM-level execution, the researcher’s assertion that it can be chained with other techniques implies potential for full compromise, especially in environments where low-privilege code execution is already possible via phishing or malware. The timing and context of this disclosure are notable. The researcher, operating under the alias Chaotic Eclipse/Nightmare Eclipse, has a history of releasing Windows zero-days following dissatisfaction with Microsoft’s bug bounty or response process. References to prior leaks like BlueHammer (CVE-2026-33825) and RedSun suggest a pattern of rapid weaponization after public disclosure. The promise of a "big surprise" for the next Patch Tuesday indicates ongoing activity, raising concerns about future undisclosed flaws. Microsoft’s standard response—affirming commitment to investigation and coordinated disclosure—does not address the researcher’s criticism of silent patching or lack of CVE assignment, which may erode trust in the vulnerability reporting ecosystem. For global security and operations teams, this incident underscores the need to reassess BitLocker deployment strategies. Relying solely on TPM-based automatic unlock may be insufficient in high-risk environments where physical access or boot manipulation is possible. Organizations should consider enforcing pre-boot PINs, BIOS-level boot protections, and monitoring for anomalous WinRE triggers. Additionally, detecting unusual FsTx directory creation or WinRE initiation outside expected maintenance windows could serve as an early warning. While the exploit requires physical or boot-level access, its simplicity and reliability make it a credible threat for espionage, data theft, or sabotage scenarios involving lost or stolen devices, or supply-chain interference. Looking ahead, defenders should monitor for signs of similar WinRE abuse techniques, particularly those targeting NTFS transaction logging or recovery environment integrity. The broader lesson is that convenience features in encryption systems—like transparent decryption—must be balanced with attack surface awareness. Until Microsoft addresses the root cause, likely tied to WinRE’s handling of external storage signals, the YellowKey technique remains a viable method to bypass one of Windows’ most trusted data protections.
Event Type: security
Importance: high
Affected Companies
- Microsoft
Affected Sectors
- cybersecurity
- technology
Key Numbers
- Vulnerabilities disclosed: 2
- Affected Windows versions: Windows 11, Windows Server 2022/2025
Timeline
- Proof-of-concept exploits for YellowKey and GreenPlasma vulnerabilities published by researcher Chaotic Eclipse/Nightmare Eclipse
- Independent security researcher Kevin Beaumont confirmed validity of YellowKey exploit
- Will Dormann of Tharros Labs confirmed YellowKey exploit works with FsTx files on USB drive but could not reproduce via EFI partition
Frequently Asked Questions
What is the YellowKey vulnerability and how does it bypass BitLocker?
YellowKey is a BitLocker bypass affecting Windows 11 and Server 2022/2025. It exploits the Windows Recovery Environment (WinRE) by placing crafted 'FsTx' files on a USB drive or EFI partition, triggering a shell via CTRL key during WinRE boot, granting unrestricted access to BitLocker-protected drives without credentials.
Does the YellowKey exploit work against TPM+PIN BitLocker configurations?
According to the researcher Chaotic Eclipse, the YellowKey exploit remains effective even in TPM+PIN environments, though the current public PoC does not demonstrate this variant. Will Dormann noted the existing exploit leverages auto-unlock and may not work in TPM+PIN setups, but the researcher claims the underlying flaw persists regardless.
What is the GreenPlasma vulnerability and its current exploit status?
GreenPlasma is a privilege escalation flaw described as a 'Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability.' The leaked PoC is incomplete and lacks components for a full SYSTEM shell, but the researcher states skilled users could extend it to achieve full escalation by manipulating trusted memory sections.
What mitigations are recommended for the YellowKey BitLocker bypass?
Kevin Beaumont recommends using a BitLocker PIN and a BIOS password as mitigations. These add authentication layers that may prevent automatic decryption abuse, though the researcher maintains the core flaw remains exploitable even with these controls in place.