An nameless cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two extra zero-days involving a BitLocker bypass and a privilege escalation impacting Home windows Collaborative Translation Framework (CTFMON).
The security defects have been codenamed YellowKey and GreenPlasma, respectively, by the researcher, who goes by the net aliases Chaotic Eclipse and Nightmare-Eclipse.
The researcher described YellowKey as “probably the most insane discoveries I ever discovered,” likening the BitLocker bypass to functioning as a backdoor, because the bug is current solely within the Home windows Restoration Atmosphere (WinRE), a built-in framework designed to troubleshoot and restore widespread unbootable working system points.
YellowKey impacts Home windows 11 and Home windows Server 2022/2025. At a excessive stage, it entails copying specifically crafted “FsTx” information on a USB drive or the EFI partition, plugging the USB drive into the goal Home windows pc with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
“I feel it is going to take some time even for MSRC to search out the true root explanation for the difficulty. I simply by no means managed to grasp why this vulnerability is sooo effectively hidden,” the researcher defined. “Second factor is, no, TPM+PIN doesn’t assist, the difficulty continues to be exploitable regardless.”
Safety researcher Will Dormann, in a put up shared on Mastodon, stated, “I used to be in a position to reproduce [YellowKey] with a USB drive hooked up,” including, “it seems like Transactional NTFS bits on a USB Drive are in a position to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe immediate, with BitLocker unlocked as a substitute of the anticipated Home windows Restoration surroundings.”
“Whereas the TPM-only BitLocker bypass is certainly fascinating, I feel the buried lede right here is {that a} System Quantity InformationFsTx listing on one quantity has the flexibility to switch the contents of one other quantity when it’s replayed,” Dormann identified. “To me, this in and of itself appears like a vulnerability.”
The second vulnerability flagged by Chaotic Eclipse is a case of privilege escalation security that might be exploited to acquire a shell with SYSTEM permissions. It arises because of what has been described as Home windows CTFMON arbitrary part creation.
The launched proof-of-concept (PoC) is incomplete and lacks the required code to acquire a full SYSTEM shell. In its present type, the exploit can enable an unprivileged consumer to create arbitrary reminiscence part objects inside listing objects writable by SYSTEM, probably enabling manipulation of privileged companies or drivers that implicitly belief these paths, as an ordinary consumer doesn’t have write entry to the areas.
The event comes almost a month after the researcher printed three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft’s dealing with of the vulnerability disclosure course of. The shortcomings have since come beneath lively exploitation within the wild.
Whereas BlueHammer was formally assigned the identifier CVE-2026-33825 and patched by Microsoft final month, Chaotic Eclipse stated the tech large seems to have “silently” addressed RedSun with out issuing any advisory.
“I hope you no less than try and resolve the state of affairs responsibly, I am unsure what kind of response you anticipated from me once you threw extra fuel on the fireplace after BlueHammer,” the researcher stated. “The hearth will go so long as you need, until you extinguish it or till there nothing left to burn.”
Chaotic Eclipse additionally promised a “large shock” for Microsoft, coinciding with the subsequent Patch Tuesday launch in June 2026.
When reached for remark, a Microsoft spokesperson had beforehand informed The Hacker Information that it “has a buyer dedication to analyze reported security points and replace impacted gadgets to guard prospects as quickly as attainable,” and that it helps coordinated vulnerability disclosure, which the corporate stated “helps guarantee points are fastidiously investigated and addressed earlier than public disclosure.”
BitLocker Downgrade Attack Uncovered
The event comes as French cybersecurity firm Intrinsec detailed an assault chain towards BitLocker that leverages a boot supervisor downgrade by exploiting CVE-2025-48804 (CVSS rating: 6.8) to bypass the encryption safety on totally patched Home windows 11 programs in beneath 5 minutes.
“The precept is as follows: the boot supervisor hundreds the System Deployment Picture (SDI) file and the WIM referenced by it, and verifies the integrity of the reputable WIM,” Intrinsec stated.
“Nonetheless, when a second WIM is added to the SDI with a modified blob desk, the boot supervisor checks the primary (reputable) WIM whereas concurrently booting from the second (managed by the attacker). This second WIM comprises a WinRE picture contaminated with ‘cmd.exe,’ which executes with the decrypted BitLocker quantity.”
Whereas fixes launched by Microsoft in July 2025 plugged this security defect in July 2025, security researcher Cassius Garat stated the issue lies in the truth that Safe Boot solely verifies a binary’s signing certificates, not its model. Consequently, a weak model of “bootmgfw.efi” that doesn’t include the patch and is signed with the trusted PCA 2011 certificates can be utilized to get round BitLocker safeguards.
It is price noting that Microsoft plans to retire the outdated PCA 2011 certificates subsequent month. “And so long as it’s not revoked, even an outdated, weak boot supervisor may be loaded with out triggering an alert,” Intrinsec famous. To tug off the assault, a nasty actor must have bodily entry to the goal machine.
To counter the danger, it is important to allow a BitLocker PIN at startup for preboot authentication and migrate the boot supervisor to the CA 2023 certificates and revoke the outdated PCA 2011 certificates.
