Windows Under Siege: Researcher Leaks "YellowKey" and "GreenPlasma" Zero-Day Exploits

A fresh wave of instability has hit the Windows ecosystem as a security researcher, operating under the aliases "Chaotic Eclipse" and "Nightmare-Eclipse," has publicly released proof-of-concept (PoC) exploits for two critical, unpatched zero-day vulnerabilities. Dubbed "YellowKey" and "GreenPlasma," these flaws provide attackers with a path to bypass BitLocker drive encryption and achieve unauthorized privilege escalation.

This latest disclosure marks a significant escalation in a growing conflict between independent security researchers and Microsoft’s vulnerability management teams. The researcher behind these leaks has explicitly stated that their actions are a direct response to dissatisfaction with how Microsoft handles bug reports, further signaling a turbulent period ahead for enterprise and consumer Windows security.

The Core Vulnerabilities: YellowKey and GreenPlasma

The two vulnerabilities currently making headlines represent distinct threats to the Windows security model.

YellowKey: The BitLocker Bypass

YellowKey is perhaps the more alarming of the two, as it targets the fundamental promise of Windows drive encryption: BitLocker. The exploit affects Windows 11 and Windows Server 2022/2025. According to the researcher, the flaw resides within the Windows Recovery Environment (WinRE).

By placing specially crafted "FsTx" files on a USB drive or an EFI partition and triggering a specific command during the reboot process—specifically by holding the CTRL key—an attacker can spawn a command shell. This shell operates with unrestricted access to the storage volume, effectively bypassing the encryption layer that BitLocker is designed to enforce.

GreenPlasma: Privilege Escalation

GreenPlasma is a local privilege escalation (LPE) vulnerability described as a "Windows CTFMON Arbitrary Section Creation" flaw. Under normal circumstances, an unprivileged user is restricted from creating memory-section objects in areas reserved for high-privilege system operations.

The GreenPlasma exploit allows an attacker to bypass these restrictions, creating memory sections within directories writable by the SYSTEM account. While the currently released PoC is incomplete—lacking the final component to achieve a full SYSTEM-level shell—experts suggest that it provides a blueprint for sophisticated actors to gain elevated control over privileged services and kernel-mode drivers.

A Chronology of Disclosures

The emergence of YellowKey and GreenPlasma is not an isolated incident; it is part of an ongoing "leak campaign" by Chaotic Eclipse.

• Preceding Events: The researcher previously disclosed the "BlueHammer" (CVE-2026-33825) and "RedSun" LPE zero-days. Both vulnerabilities were swiftly weaponized by threat actors in the wild shortly after the PoC code was published on GitHub.
• The "Silent" Conflict: Following the disclosure of BlueHammer and RedSun, the researcher accused Microsoft of "silently patching" vulnerabilities without proper documentation or CVE identifiers. This lack of transparency appears to be the primary catalyst for the current, more aggressive strategy of public disclosure.
• The Immediate Future: Chaotic Eclipse has explicitly promised "a big surprise" for the upcoming Patch Tuesday, suggesting that the current leaks may only be the beginning of a larger repository of undocumented Windows vulnerabilities being released to the public.

Supporting Data and Technical Validation

The technical validity of these exploits has been confirmed by prominent figures in the cybersecurity community, providing a stark reality check for administrators.

Expert Verification

Kevin Beaumont, a well-known security researcher, confirmed the efficacy of the YellowKey exploit. His assessment aligns with the researcher’s claims that BitLocker, in its default TPM-only configuration, essentially functions with a "backdoor" that can be triggered through the WinRE environment. Beaumont has advised users to move beyond default configurations, suggesting the use of a mandatory BitLocker PIN and a robust BIOS/UEFI password to mitigate the risk.

The Mechanism of Failure

Will Dormann, a principal vulnerability analyst at Tharros Labs, provided a granular breakdown of the YellowKey exploit. According to Dormann, the issue stems from how Windows handles NTFS transactions during the recovery boot process.

"Windows looks for System Volume InformationFsTx directories on attached drives, and will replay any NTFS logs," Dormann explained. "The result is that X:WindowsSystem32winpeshl.ini is deleted. When Windows Recovery initiates, instead of launching the standard recovery environment, it defaults to a command prompt with the disk already unlocked."

Dormann noted that while he could replicate the USB-based exploit, the EFI partition method proved more difficult to trigger. Crucially, he clarified that because the exploit leverages the "auto-unlock" mechanism inherent to TPM-only BitLocker configurations, the current iteration of the YellowKey exploit is ineffective against systems protected by both a TPM and a pre-boot PIN.

Official Responses and Industry Stance

The response from Microsoft has been measured, adhering to standard corporate protocols regarding security disclosures. A Microsoft spokesperson stated that the company is actively investigating the reports and remains committed to protecting customers through updates.

"We also support coordinated vulnerability disclosure," the spokesperson said. "This is a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."

However, the disconnect between Microsoft’s request for "coordinated disclosure" and the researcher’s frustration with the "silence" of the MSRC (Microsoft Security Response Center) highlights a growing tension. The researcher maintains that if Microsoft were more transparent about the nature and progress of patches, the need for public, potentially dangerous, leaks would be nullified.

Implications for Enterprise and Consumer Security

The existence of these exploits presents significant risks for both individual users and enterprise IT environments.

The Risk to Physical Security

The most critical takeaway from the YellowKey exploit is the vulnerability of devices where the drive is encrypted using only a TPM. In a corporate environment, this implies that a laptop stolen from a desk or left in an insecure area could be accessed by an individual with minimal technical expertise, provided they know the "trick" to trigger the command shell in the recovery environment.

Mitigation Strategies

As of now, the most effective mitigation for YellowKey is to implement a secondary layer of authentication. Organizations that rely solely on TPM-only BitLocker should urgently transition to a TPM+PIN configuration. While the researcher claims that the underlying root cause of the BitLocker issue might eventually be exploitable even with a PIN, no public PoC exists for that scenario, making a PIN a vital deterrent.

For GreenPlasma, the danger lies in the potential for lateral movement within a network. If an attacker gains a foothold on a machine via a standard phishing attack, the GreenPlasma LPE provides the necessary elevation to disable security software, install persistent backdoors, or move deeper into the network infrastructure.

The Shift in Disclosure Culture

The behavior of Chaotic Eclipse signals a shift away from the traditional "white hat" disclosure model. By bypassing the MSRC and opting for immediate, public, and often incomplete PoC releases, the researcher is essentially crowdsourcing the development of exploits. This places an undue burden on IT administrators, who must now patch systems that may not even have official security updates available.

As we look toward the next Patch Tuesday, the cybersecurity community remains on high alert. The "big surprise" promised by the researcher could involve even more deeply embedded Windows components. For now, the best defense remains a proactive posture: hardening configurations, enforcing secondary authentication, and maintaining strict vigilance over physical access to hardware.

The era of "silent patches" and behind-the-scenes bug reporting appears to be facing a significant challenge, one that will force both software vendors and security professionals to re-evaluate the speed and transparency of the vulnerability management lifecycle.