Two critical security vulnerabilities discovered threatening Windows and BitLocker encryption

Disagreements between security researchers and big tech corporations can sometimes lead to severe consequences. Recently, after their security reports were rejected by Microsoft's team, a researcher known by the alias Chaotic Eclipse (or Nightmare-Eclipse) consecutively disclosed critical, unpatched zero-day vulnerabilities as a retaliatory move. Following the previous two vulnerabilities, BlueHammer and RedSun, the researcher has just publicized two new flaws named YellowKey and GreenPlasma, directly threatening the Windows security ecosystem.

YellowKey: Disabling BitLocker encryption using just a few files on a USB drive

YellowKey is an exceptionally dangerous vulnerability that directly targets BitLocker-the widely used drive encryption tool trusted by millions of individual users, enterprises, and governments to protect data.

The exploitation method for this vulnerability is remarkably simple and its effectiveness has been verified. An attacker only needs to prepare a standard USB drive, access the system folder named "System Volume Information", and copy a folder named "FsTx" along with all its contents into it.

The process to bypass the security wall is as follows:

• Plug the USB drive into the target computer.

• Select "Restart" while holding down the Shift key to allow the system to enter the Windows Recovery Environment.

• Immediately after, switch to holding down the Control key and do not release it.

The system will immediately reboot without displaying any selection menus or authentication requests. Instead, the computer will drop the user directly into a command-line interface with supreme privileges. From here, an attacker can access all data on the drive originally protected by BitLocker without needing any recovery key.

Notably, the exploit files on the USB drive automatically disappear after a single use. This characteristic strongly bears the hallmarks of a sophisticatedly planted backdoor, raising significant security concerns. The YellowKey vulnerability is confirmed to work on both Windows Server 2022 and Windows Server 2025, but it does not affect the Windows 10 operating system.

Practical impact on users

Since BitLocker is enabled by default on Windows 11, the scope of this vulnerability's impact is immense. Technically, an attacker cannot remove the hard drive from this computer and plug it into another device to steal data, as the encryption keys remain securely within the original machine's Trusted Platform Module (TPM) chip. However, if the perpetrator steals the entire device (such as a laptop, mini PC, or desktop tower), the data inside will be fully compromised.

Researcher Chaotic Eclipse also noted that establishing strict security by combining both a TPM chip and a PIN cannot prevent the attack. They claimed to have a bypass solution for this scenario but have not yet released the detailed exploit code. This vulnerability was heavily concealed and could have fetched an extremely high price on the black market, but the researcher chose to make it public to challenge Microsoft.

GreenPlasma: Local privilege escalation vulnerability to control the system

Alongside YellowKey, a second vulnerability named GreenPlasma was also disclosed. Although a complete proof-of-concept (PoC) exploit code is not yet available, based on Eclipse's previously accurate findings, the tech community believes this vulnerability is entirely genuine.

GreenPlasma is a local privilege escalation (LPE) vulnerability. It allows a standard user account to gain the highest level of control over the system - SYSTEM level (which is even higher than Administrator privileges).

The mechanics of GreenPlasma include:

• Manipulating the system process named CTFMon.

• Injecting a specially modified memory section object (used for inter-process sharing or file mapping) into the Windows Object Manager section.

• This section resides in an area where the SYSTEM account has write privileges, thereby enabling the exploit code to bypass standard access control mechanisms.

Once inside the restricted memory region, malware can execute various destructive behaviors and take complete control of the computer. This vulnerability is not only dangerous for personal computers but is also a disaster for server environments - where a standard user could exploit it to compromise the entire server and access data belonging to all other accounts.

As of the time this information was shared, Microsoft has not issued any response or official advisory regarding the YellowKey and GreenPlasma vulnerabilities.

Regarding Chaotic Eclipse's previous findings, the BlueHammer vulnerability has now been successfully patched. Meanwhile, the RedSun flaw is believed to have been silently addressed by Microsoft, though the corporation has never issued a specific confirmation statement.