A security researcher has released working proof-of-concept (PoC) code targeting two previously unknown Microsoft Windows flaws, dubbed YellowKey and GreenPlasma. The first is a BitLocker bypass, while the second is a privilege-escalation vulnerability.
Operating under the aliases Chaotic Eclipse and Nightmare Eclipse, the researcher characterizes the BitLocker bypass as effectively functioning like a backdoor, since the vulnerable component exists solely within the Windows Recovery Environment (WinRE)—the tool used to fix boot-related problems in Windows.
These latest disclosures come on the heels of the researcher’s earlier revelations of BlueHammer (CVE-2026-33825) and RedSun (no CVE assigned), both local privilege escalation (LPE) zero-days that were rapidly weaponized in real-world attacks shortly after being made public.
As with prior cases, the researcher explained that the choice to publicly release details on YellowKey and GreenPlasma—along with instructions for exploiting them—stemmed from frustration with how Microsoft handled their bug reports.
Chaotic Eclipse, also known as Nightmare-Eclipse on GitHub, declared they will continue publishing exploits for undocumented Windows flaws and even teased “a major surprise” for the upcoming Patch Tuesday.
The YellowKey BitLocker Bypass
According to the researcher, YellowKey is a BitLocker bypass impacting Windows 11 and Windows Server 2022/2025. The attack works by placing specially crafted ‘FsTx’ files onto a USB drive or the EFI partition, rebooting the machine into WinRE, and opening a shell by pressing and holding the CTRL key.
The BitLocker bypass can also be carried out without any external storage device by copying the files directly to the EFI partition on the target drive.
Chaotic/Nightmare Eclipse claims the resulting shell provides full, unrestricted access to the BitLocker-protected storage volume.
Independent security researcher Kevin Beaumont verified that the YellowKey exploit is effective and concurred that BitLocker effectively contains a backdoor. He suggested using a BitLocker PIN combined with a BIOS password as a defensive measure.
In a recent update, Chaotic Eclipse noted that “the true root cause remains unknown [sic] to the general public” and that the flaw can still be exploited even when a TPM (Trusted Platform Module) and PIN are in use. However, the PoC for this particular variant has not been made public.
“I believe it will take considerable time even for MSRC to pinpoint the actual root cause of this issue. I simply could never figure out why this vulnerability is so deeply concealed,” the researcher remarked.
“No, TPM+PIN doesn’t help—the flaw is still exploitable regardless. I asked myself whether it could still function in a TPM+PIN setup. The answer is yes. I’m just withholding the PoC; I think what’s already out there is damaging enough.”
Will Dormann, principal vulnerability analyst at Tharros Labs, also confirmed that the YellowKey exploit functioned when using FsTx files on a USB drive but was unable to reproduce the issue via the EFI partition method.
He told BleepingComputer that “YellowKey takes advantage of NTFS transactions in conjunction with the Windows Recovery image. The PIN prompt appears before Windows Recovery is launched.”
Dormann outlined the exploit chain, explaining that to initiate Windows Recovery, “Windows searches for System Volume InformationFsTx directories on connected drives and replays any NTFS transaction logs.”
“The outcome is that the X:WindowsSystem32winpeshl.ini file is removed, and when Windows Recovery starts, instead of loading the actual recovery environment, it opens a CMD.EXE prompt—with the disk still unlocked.” — Will Dormann
By default, TPM-only BitLocker setups automatically decrypt drives without any user input. If a system can silently unlock a disk for ease of use, it stands to reason that attackers will eventually discover ways to exploit that mechanism.
“YellowKey is an illustration of an exploit targeting exactly that kind of weakness,” Dormann noted, clarifying that because it takes advantage of the auto-unlock behavior during boot, the current YellowKey PoC does not function in a TPM+PIN configuration.
It’s important to note that testing YellowKey against a BitLocker-protected drive must be done on the original hardware, where the TPM holds the encryption keys.
Consequently, Chaotic Eclipse’s present YellowKey exploit does not work on stolen drives but does grant access to disks secured with TPM-only BitLocker without requiring any credentials.
The GreenPlasma Exploit
GreenPlasma is a privilege-escalation vulnerability that could be leveraged to spawn a shell running with SYSTEM-level permissions. Chaotic Eclipse refers to it as a “Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability.”
A low-privileged user can craft arbitrary memory-section objects inside directory objects that are writable by SYSTEM, potentially enabling manipulation of privileged services or drivers that rely on those locations.
The published PoC is incomplete, however, and is missing the component required to achieve a full SYSTEM shell. Still, Chaotic Eclipse asserts that “if you’re clever enough, you can convert this into a complete privilege escalation.”
The frustrated researcher added that the newly created section could be leveraged to tamper with data and various services—including kernel-mode drivers—into trusting specific file paths that ordinary users would not normally be able to reach.
Source: GitHub
While the precise circumstances that triggered Chaotic Eclipse’s wave of exploit releases remain unclear, the researcher has hinted at “a major surprise” for Microsoft during next month’s Patch Tuesday.
They also claimed that “Microsoft quietly patched the RedSun vulnerability” and criticized the company for the covert handling of the fix and for failing to assign a CVE identifier, just as had occurred with BlueHammer.
BleepingComputer reached out to Microsoft for a statement regarding Chaotic Eclipse’s latest exploit releases. A spokesperson responded that the company is committed to investigating all reported security issues and will “update impacted devices to protect customers as quickly as possible.”
“We also support coordinated vulnerability disclosure—a widely adopted industry practice that helps ensure issues are thoroughly investigated and resolved before public disclosure, benefiting both customer protection and the broader security research community,” the Microsoft spokesperson told BleepingComputer.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
