Researcher Drops YellowKey BitLocker Bypass, GreenPlasma SYSTEM Exploit

A security researcher operating under the alias Nightmare-Eclipse publicly released exploit code for two unpatched Microsoft Windows vulnerabilities on May 13, marking the fifth and sixth zero-day disclosures from the same individual this year. The flaws—dubbed YellowKey and GreenPlasma—enable BitLocker encryption bypass and SYSTEM-level privilege escalation respectively, with no patches currently available.

What Are YellowKey and GreenPlasma?

YellowKey is a BitLocker bypass vulnerability that exploits NTFS transactions within the Windows Recovery Environment (WinRE). An attacker with physical access can place specially crafted files on a USB drive or EFI partition, then reboot into recovery mode to gain shell access to an encrypted system.

GreenPlasma is a privilege escalation flaw that allows unprivileged users to create arbitrary memory sections, potentially manipulating system services and kernel-mode drivers. The researcher released partial exploit code rather than a complete proof-of-concept.

How Does YellowKey Work?

The attack leverages how Windows handles NTFS transaction logs during recovery. According to security analyst Will Dormann, Windows looks for \System Volume Information\FsTx directories on attached drives and replays any NTFS logs it finds.

By placing malicious FsTx files on a USB drive and triggering a WinRE boot sequence, attackers manipulate the boot process so that X:\Windows\System32\winpeshl.ini gets deleted. This causes WinRE to launch a command prompt instead of the legitimate recovery interface—with the disk still unlocked.

The exploit affects Windows 11 and Windows Server 2022/2025, specifically targeting TPM-only BitLocker configurations. Dormann noted bluntly: "A stolen laptop stops being a hardware problem and becomes a breach notification."

The Researcher's Motivations

Nightmare-Eclipse (also known as Chaotic Eclipse) cited dissatisfaction with Microsoft's vulnerability handling as motivation for the public disclosures. In a blog post accompanying the release, the researcher stated that "someone violated our agreement and left me homeless with nothing."

YellowKey and GreenPlasma follow four previous zero-day disclosures from the same researcher in 2026:

• BlueHammer (April) - Windows Defender bypass
• RedSun - SYSTEM privilege escalation
• UnDefend
• Two unnamed earlier flaws

The researcher has hinted at possessing a "dead man's switch" containing additional vulnerabilities.

Why This Matters

BitLocker encryption represents a fundamental security control for enterprises protecting laptops and removable media. Microsoft's own guidance recommends BitLocker for meeting regulatory compliance requirements and protecting data at rest.

YellowKey undermines these protections entirely for organizations relying solely on TPM-based encryption. While physical access requirements limit remote exploitation, the threat model for stolen or seized devices changes dramatically. An attacker who previously faced months or years of decryption effort can now gain access in minutes.

The timing is notable—these disclosures arrived just one day after Microsoft's May Patch Tuesday, which notably contained no zero-days under active exploitation. That assessment aged poorly within 24 hours.

Mitigation Options

For YellowKey, Microsoft and security researchers recommend:

1. Implement BitLocker PIN protection in addition to TPM—the exploit specifically targets TPM-only configurations
2. Set BIOS/UEFI passwords to prevent unauthorized boot device changes
3. Disable USB boot in firmware settings where operationally feasible
4. Monitor for physical access attempts in high-security environments

For GreenPlasma, no workarounds currently exist. The partial exploit code released triggers a UAC consent prompt in default Windows configurations, meaning a fully silent exploit chain remains incomplete—but weaponization is likely only a matter of time.

Organizations handling sensitive data should review their endpoint security posture, particularly for devices that may be physically accessible to adversaries. The combination of these two vulnerabilities could enable an attacker with brief physical access to bypass disk encryption and then elevate privileges to SYSTEM once inside the running OS.

Security teams tracking unpatched Microsoft vulnerabilities should also review the Copy Fail Linux kernel flaw that CISA added to its KEV catalog earlier this month, as multi-platform environments face simultaneous privilege escalation risks.

Frequently Asked Questions

Can YellowKey be exploited remotely? No. YellowKey requires physical access to the target device and the ability to boot from a USB drive or modify the EFI partition. Remote exploitation is not possible.

Are BitLocker TPM+PIN configurations affected? According to the researcher, TPM+PIN protection remains vulnerable but that exploit variant has not been released. Implementing a PIN still provides defense-in-depth against the currently public attack.

When will Microsoft release patches? Microsoft has not announced a timeline for addressing either vulnerability. Given the researcher's adversarial relationship with Microsoft's security team, coordination on disclosure timelines appears unlikely.