Windows zero-days: WinRE BitLocker bypass and CTFMON flaw

An anonymous researcher using the aliases Chaotic Eclipse and Nightmare-Eclipse published details of two Windows zero-day vulnerabilities named YellowKey and GreenPlasma.

YellowKey is a BitLocker bypass that operates from the Windows Recovery Environment (WinRE). The researcher reported it affects Windows 11 and Windows Server 2022 and 2025. According to the disclosure, an attacker can place specially crafted FsTx files on a USB drive or an EFI partition, insert the drive into a machine with BitLocker enabled, boot into WinRE and trigger a command shell by holding the CTRL key. The researcher described YellowKey as “one of the most insane discoveries I ever found” and added that it remains exploitable even when BitLocker uses TPM+PIN preboot authentication.

Security researcher Will Dormann reproduced parts of the behavior and reported that Transactional NTFS data on an attached USB drive can remove the winpeshl.ini file on the WinRE volume (X:). That action can produce a cmd.exe prompt with access to what appears to be a decrypted BitLocker volume rather than the normal WinRE interface. Dormann noted a \System Volume Information\FsTx directory on one volume can change contents on another volume when replayed.

GreenPlasma targets the Windows Collaborative Translation Framework (CTFMON). The proof-of-concept code shared by the researcher is incomplete and does not include the final routine to spawn a SYSTEM shell. In its shown form, the exploit allows an unprivileged user to create arbitrary memory section objects in directory locations that are normally writable only by SYSTEM. That capability could be used to alter services or drivers that trust those paths.

The researcher previously disclosed three Microsoft Defender vulnerabilities called BlueHammer, RedSun and UnDefend. BlueHammer was assigned CVE-2026-33825 and patched. The researcher indicated RedSun was fixed without a public advisory and criticized how coordinated disclosure was handled, warning of further disclosures and teasing a “big surprise” timed with next month’s Patch Tuesday.

Microsoft provided a statement that the company is committed to investigating reported security issues and updating affected devices “as soon as possible” and that it supports coordinated vulnerability disclosure to ensure issues are investigated and addressed prior to public disclosure.

Separately, French cybersecurity firm Intrinsec described a boot manager downgrade chain that can bypass BitLocker on patched Windows 11 systems by exploiting CVE-2025-48804. The chain mounts a second attacker-controlled WIM image so the boot manager verifies a legitimate WIM while booting from the attacker image, which can contain a WinRE with cmd.exe and access to a decrypted BitLocker volume. Microsoft released fixes for that flaw in July 2025. Security researcher Cassius Garat noted Secure Boot verifies a binary’s signing certificate but not the version of the signed binary, allowing an older vulnerable boot manager signed with the PCA 2011 certificate to load unless the certificate is revoked. Microsoft plans to retire PCA 2011 certificates next month.

Security researchers advise enabling a BitLocker PIN for preboot authentication and migrating the boot manager to the CA 2023 signing certificate while revoking the PCA 2011 certificate to reduce exposure to downgrade-style attacks. The YellowKey and GreenPlasma disclosures add to a set of recent Windows vulnerability reports that administrators and security teams will need to assess as investigations continue.