Windows BitLocker – PoC code has been published for two unpatched Windows vulnerabilities, including a BitLocker bypass and a SYSTEM privilege escalation flaw.
A fresh set of Windows zero-day proof-of-concepts is circulating after a cybersecurity researcher published exploit code for two unpatched Microsoft flaws—one capable of bypassing BitLocker protections and another designed to escalate privileges to SYSTEM.. The move is already raising alarm for defenders. particularly because the BitLocker issue. known as YellowKey. is tied to the Windows Recovery Environment (WinRE). where boot-repair operations can unexpectedly become an attack path.
The researcher behind the disclosure. operating under the names Chaotic Eclipse and Nightmare Eclipse. described the YellowKey issue as behaving like a backdoor.. The key detail is that the vulnerable component is only present in WinRE. the environment Windows uses when repairing boot-related problems.. By targeting WinRE rather than the running operating system. the flaw changes the threat model for BitLocker users and could allow attackers to influence what happens before the normal Windows session begins.
YellowKey is reported to affect Windows 11 and Windows Server 2022/2025.. The PoC approach involves placing specially crafted “FsTx” files onto a USB drive or an EFI partition. rebooting into WinRE. and triggering a command shell by holding down the CTRL key.. The researcher also claims the bypass can be carried out without external storage by copying the same crafted files onto the EFI partition on the target drive.
If the method works as described. the shell that is spawned would provide unrestricted access to the storage volume protected by BitLocker.. Independent confirmation came from security researcher Kevin Beaumont. who validated that the YellowKey exploit functions as a BitLocker “backdoor” and recommended mitigations such as using a BitLocker PIN and a BIOS password.
Even with those mitigations. the situation is more complicated than a simple “PIN fixes it.” In an update. Chaotic Eclipse said the underlying root cause is still not broadly understood and that the vulnerability remains exploitable even in configurations involving TPM and PIN.. The researcher added that a PoC for that specific version has not been released. underscoring how defenders may face uncertainty about what protections fully cover and what variations still leave room for abuse.
Will Dormann. a principal vulnerability analyst at Tharros Labs. independently confirmed that YellowKey can work using the FsTx files on a USB drive. but he said he could not reproduce the bug when using the EFI partition method.. His explanation focuses on how YellowKey abuses NTFS transactions alongside the Windows Recovery image—specifically tying the PIN prompt timing to when Windows enters the recovery flow.
Dormann said Windows looks for certain directories (including “System Volume InformationFsTx”) on attached drives and then replays NTFS logs.. In his account. this sequence leads to deletion of “X:WindowsSystem32winpeshl.ini” and results in recovery launching a “CMD.EXE” instead of the legitimate Windows Recovery environment. with the disk still unlocked.. That chain matters because it suggests the bypass relies on pre-recovery filesystem behavior rather than on breaking BitLocker encryption directly.
The wider defensive concern is that many systems configure BitLocker in a way that unlocks encrypted drives automatically when hardware TPM-only policies allow seamless access.. Dormann noted that if TPM-only BitLocker can decrypt without user interaction, attackers may eventually find ways to leverage that convenience.. In his view. YellowKey is an example of exploiting an auto-unlock weakness. and he said the current YellowKey PoC does not work in a TPM+PIN environment.
There’s also a practical constraint for attackers that defenders can weigh when assessing risk.. Dormann and the researcher both indicate that testing YellowKey against a BitLocker-protected drive must be performed on the original device. where the TPM stores the encryption keys.. As such. the researcher’s current YellowKey PoC is framed as not working with stolen drives. but it can still enable access to disks that are protected by TPM-only BitLocker without requiring credentials.
Alongside YellowKey. the researcher published a PoC for a second unpatched Windows flaw called GreenPlasma. described as a privilege escalation vulnerability that could yield a shell with SYSTEM permissions.. In the researcher’s terminology. it’s a “Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability. ” pointing to how objects in Windows can be manipulated to reach higher trust levels.
GreenPlasma’s reported mechanism involves an unprivileged user creating arbitrary memory-section objects within directory objects that are writable by SYSTEM.. The goal is to potentially influence privileged components—such as services or drivers—that trust those locations.. The leaked PoC is described as incomplete. because it lacks the specific component needed to produce a full SYSTEM shell on its own.
Even so. the researcher argues that “if you’re smart enough. ” attackers could convert the partial technique into full privilege escalation.. The description also suggests the newly created section could be shaped to manipulate data and various services. including kernel-mode drivers. into trusting specific paths that standard users can’t normally access.
This disclosure comes after the same researcher previously released zero-day information for two other Windows local privilege escalation issues—BlueHammer (CVE-2026-33825) and RedSun (which the report says had no identifier assigned at the time).. In those earlier cases. the researcher said both flaws began being exploited in the wild shortly after public disclosure. framing the current leaks as part of a broader pattern of rapid attacker adoption.
The researcher said the choice to publish YellowKey and GreenPlasma—including guidance on how to use them—stemmed from dissatisfaction with how Microsoft handled bug reports.. They also indicated they plan to continue leaking exploits for undocumented Windows vulnerabilities and teased “a big surprise” for Microsoft on next month’s Patch Tuesday.
At least one detail about Microsoft’s response is already being contested.. The researcher claims Microsoft “silently patched” the RedSun vulnerability and criticized the company for handling that issue without assigning an identifier. contrasting it with how BlueHammer received a CVE.. In the meantime. a Microsoft spokesperson stated that the company is committed to investigating reported security issues and updating impacted devices as soon as possible.
Microsoft also emphasized support for coordinated vulnerability disclosure. describing it as a widely adopted industry practice meant to help ensure issues are carefully investigated and addressed before public release.. As YellowKey and GreenPlasma PoCs spread. that clash between disclosure timelines and operational trust will likely intensify—especially given how the BitLocker bypass is tied to WinRE and how privilege escalation can be built from incomplete building blocks.
Windows zero-day BitLocker bypass YellowKey GreenPlasma privilege escalation WinRE exploit cybersecurity PoC