Windows BitLocker zero-day gives access to protected drives, PoC released

Windows BitLocker Zero-Day Exposes Protected Drives: PoC Released

Overview

• A cybersecurity researcher has published proof-of-concept exploits for two unpatched Windows vulnerabilities, YellowKey and GreenPlasma.
• YellowKey bypasses BitLocker, while GreenPlasma provides a privilege-escalation path to obtain a SYSTEM-level shell.
• The vulnerabilities are associated with a broader research effort known as Chaotic Eclipse (also referred to as Nightmare Eclipse in some disclosures).
• Prior disclosures from the researcher include BlueHammer (a local privilege escalation) and RedSun (a separate privilege-escale issue); both saw rapid exploitation after public disclosure.
• The researcher has indicated a willingness to continue revealing undocumented Windows flaws, with a promise of a big surprise tied to Patch Tuesday.

Chaotic Eclipse Context and History

• The disclosures are part of a pattern in which undocumented Windows vulnerabilities are released alongside accompanying PoCs and guidance on exploitation.
• The researcher characterizes YellowKey as a backdoor-like component because the exploitable element resides in WinRE (Windows Recovery Environment), a repair environment used for boot-related issues.
• GreenPlasma is described as a privilege-escalation vulnerability that affects how certain memory sections can be manipulated, potentially compromising trusted services or drivers.
• The researcher has signaled ongoing activity, including additional exploit leaks, and has publicly criticized Microsoft’s handling of bug reports and vulnerability identifiers in some cases.

YellowKey: BitLocker Bypass

• Affects Windows 11 and Windows Server 2022/2025.
• Core mechanism involves placing specially crafted FsTx files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell by a keyboard action (holding CTRL).
• There is an alternative path to exploit without external storage by copying the necessary files to the target drive’s EFI partition.
• Once the shell is spawned, it provides unrestricted access to the BitLocker-protected storage volume.
• Independent researcher verification:
• A separate security researcher confirmed the exploit’s validity and acknowledged BitLocker’s exposure to backdoor-like access via this vector.
• The consensus view is that a BitLocker-protected drive can be accessed in ways that bypass normal user authentication on boot.
• Root-cause and environment considerations:
• The public PoC for YellowKey reportedly operates against configurations where automatic unlock features are available, including TPM-only BitLocker setups.
• Some analyses indicate the exploit may work differently depending on whether the system uses USB-based unlock vs. TPM-only unlock with PIN constraints.
• There is disagreement on whether the underlying issue can be fully mitigated by TPM+PIN alone; the PoC discussion suggests protections vary by configuration and hardware.

Dormann’s Analysis and Replicability Notes

• An independent analyst examined the USB-based mode of YellowKey and reported successful replication, while noting difficulty reproducing the behavior when attempting to use an EFI partition.
• The mechanism described involves NTFS transactions and interactions with the Windows Recovery environment.
• The boot-time sequence can trigger an alteration of recovery-related startup scripts, leading to the invocation of a command shell before the intended WinRE interface is loaded.
• A critical takeaway is that TPM-only configurations that auto-unlockBitLocker can unintentionally facilitate access when the system boots, a scenario mentioned by the analyst as a potential limitation for TPM+PIN defenses.

Technical Details: How YellowKey Functions

• The attack leverages specially crafted NTFS transaction behavior to replay or bypass certain WinRE startup conditions.
• At boot, Windows checks for specific directories related to NTFS transaction logs (FsTx) on attached drives. Manipulation of these logs can influence which startup script runs.
• The outcome is that the standard Windows Recovery interface is bypassed, and a shell (CMD.EXE) is presented with the disk remained unlocked, granting access to the protected data.
• Practical implications include the possibility of accessing sensitive content on drives protected by TPM-only BitLocker without requiring user-provided credentials at boot.

GreenPlasma: Privilege Escalation Path

• GreenPlasma is described as a Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability.
• An unprivileged user can create memory-section objects within directory objects writable by SYSTEM, enabling manipulation of privileged services or drivers that rely on those paths.
• The publicly released PoC for GreenPlasma is incomplete and does not yet deliver a full SYSTEM shell; however, the researchers suggest that the concept could be extended into a complete privilege escalation with the right follow-on steps.
• The broader risk is that a compromised user-space component could influence kernel-mode components by steering data and control paths that trusted services rely on.

Microsoft Response and Industry Context

• In public statements, Microsoft has indicated ongoing investigation into reported security issues and support for coordinated vulnerability disclosure practices.
• The company emphasized commitment to updating affected devices to protect customers and to collaborating with the research community to address vulnerabilities responsibly.
• The disclosures have reignited discussion about the balance between responsible disclosure and the potential for public PoCs to enable active exploitation before patches are available.

Related Visuals and Contextual Elements

• The disclosures include visual representations of the GreenPlasma concept and related PoCs, illustrating the progression from local user-space actions to potential system-level impacts.
• The broader communications from the researcher include references to upcoming patches and future releases connected to Patch Tuesday, with additional hints about continuing a pattern of zero-day disclosures.

Supplementary Context: Broader Zero-Day Landscape and Event Notes

• A separate promotional element mentions an event focused on autonomous validation and security testing, highlighting the idea that context-rich validation can identify exploitable controls and verify remediation effectiveness.
• The message frames a narrative around rapid discovery and verification of security weaknesses, reinforcing the ongoing tension between disclosure timelines and defense readiness.

Industry Reflections and Takeaways

• The YellowKey and GreenPlasma disclosures underscore the importance of defense-in-depth, particularly in how boot-time processes, recovery environments, and hardware-backed protections interact.
• The discussions around TPM-based unlock mechanisms reveal nuanced considerations: convenience features can introduce unexpected attack surfaces if not carefully managed.
• The ongoing dialogue between researchers and vendors centers on clarifying root causes, enabling accurate vulnerability identifiers, and coordinating timely mitigations to reduce risk exposure.
• In the broader security community, the pattern of disclosure followed by rapid exploitation in the wild emphasizes the need for robust patch management, hardware-assisted protections, and disciplined incident response.

Closing Context

• Chaotic Eclipse’s activity aligns with a larger trend of public PoCs for undocumented Windows vulnerabilities and the potential consequences for enterprise security, system integrity, and data protection.
• While the PoCs advance understanding of these flaws, they also raise questions about how best to structure disclosures, verify root causes, and implement mitigations across diverse hardware and software configurations.
• The evolving narrative around YellowKey, GreenPlasma, and related exploits continues to shape conversations about Windows security, recovery environments, and the ongoing need for vigilant safeguarding of protected data.