An anonymous cybersecurity researcher known online as Chaotic Eclipse and Nightmare Eclipse has disclosed two new Windows zero day vulnerabilities affecting BitLocker and Windows Collaborative Translation Framework, also known as CTFMON. The vulnerabilities, named YellowKey and GreenPlasma, target Windows 11 and Windows Server 2022 and 2025 systems. The disclosure comes weeks after the same researcher published three Microsoft Defender related vulnerabilities identified as BlueHammer, RedSun, and UnDefend.
YellowKey focuses on a BitLocker bypass that reportedly works within Windows Recovery Environment, commonly referred to as WinRE. The researcher described the issue as unusually difficult to trace because it appears to function like a hidden backdoor inside the recovery framework used for repairing unbootable Windows systems. According to the published findings, the attack involves copying specially crafted FsTx files to a USB drive or EFI partition and connecting the device to a BitLocker protected computer. After rebooting the machine into WinRE and pressing the CTRL key, attackers can allegedly trigger a command shell with access to an already unlocked BitLocker volume. The researcher stated that even systems configured with TPM plus PIN protection remain vulnerable to exploitation.
Security researcher Will Dormann independently reproduced the attack using a USB drive and shared technical observations on Mastodon. Dormann explained that the vulnerability appears to abuse Transactional NTFS components located in a \System Volume Information\FsTx directory. According to his findings, these components can modify files located on another drive during replay operations. He noted that the exploit could delete the winpeshl.ini file inside the Windows recovery environment and replace the expected recovery interface with a command prompt running on an unlocked BitLocker partition. Dormann further suggested that the ability for one volume to alter another volume through FsTx replay activity may itself represent a separate security issue.
The second vulnerability, named GreenPlasma, impacts Windows CTFMON and enables privilege escalation. The released proof of concept does not provide a complete SYSTEM shell exploit, but researchers stated it still demonstrates how an unprivileged user can create arbitrary memory section objects inside directory locations writable by SYSTEM accounts. This behavior may create opportunities to manipulate trusted services or drivers that rely on those paths. Security analysts noted that regular users typically do not have permission to write to such locations, making the flaw particularly concerning in enterprise environments where elevated processes may implicitly trust affected objects.
The disclosures also coincide with fresh concerns surrounding BitLocker downgrade attacks. French cybersecurity company Intrinsec recently detailed an attack chain exploiting CVE-2025-48804 to bypass BitLocker protections on fully patched Windows 11 devices within minutes. Researchers explained that attackers can abuse an older vulnerable version of bootmgfw.efi signed with Microsoft’s PCA 2011 certificate. Because Secure Boot validates signatures rather than software versions, outdated boot managers may still load successfully if their certificates remain trusted. Attackers can then manipulate Windows Imaging files to boot a modified WinRE environment containing cmd.exe with access to decrypted BitLocker volumes. Microsoft addressed the original issue through patches released in July 2025, but researchers warned that systems remain exposed until organizations migrate to newer CA 2023 certificates and revoke older PCA 2011 certificates. Security experts also recommended enabling BitLocker startup PIN authentication to reduce risks associated with physical access attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
