Researchers uncover YellowKey and GreenPlasma Windows Zero-Days
May 15, 2026
Researchers disclosed two new Windows zero-days named YellowKey and GreenPlasma affecting BitLocker and the CTFMON framework.
A security researcher known as Chaotic Eclipse, also called Nightmare-Eclipse, disclosed two new Windows zero-day vulnerabilities named YellowKey and GreenPlasma.
The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON). YellowKey could allow attackers to bypass BitLocker protections, while GreenPlasma enables privilege escalation. The researcher previously disclosed three Microsoft Defender vulnerabilities.
YellowKey is a BitLocker bypass issue that affects Windows 11 and Windows Server 2022/2025 systems. The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE). The attack involves placing specially crafted files inside the System Volume InformationFsTx directory on a USB drive or directly in the EFI partition. According to the researcher, the vulnerable component only exists inside the WinRE image and not in standard Windows installations, raising suspicions about its design. Windows 10 systems do not appear affected.
“Now why would I say this is a backdoor ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue.” wrote Chaotic Eclipse. “Why ? I just can’t come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.”
The second issue, dubbed GreenPlasma, is a Windows privilege escalation vulnerability affecting the CTFMON framework on Windows 11 and Windows Server 2022/2026. The proof-of-concept exploit allows attackers to create arbitrary memory section objects inside directories writable by SYSTEM. By abusing trusted paths used by services and kernel drivers, attackers could potentially escalate privileges to SYSTEM level. The researcher withheld the full exploit code but said the flaw can still be turned into full privilege escalation by skilled attackers.
In April, Chaotic Eclipse disclosed three other flaws in Microsoft Defender called BlueHammer, RedSun, and UnDefend.
Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.
BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection.
At this time, Microsoft has only fixed the BlueHammer flaw, tracked as CVE-2026-33825, but the others remain unpatched.
Huntress researchers reported attackers are exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown.
Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
Researchers believe attackers were using public exploit code released online by Chaotic Eclipse.
Huntress said attackers started exploiting BlueHammer on April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
