Researcher Drops YellowKey, GreenPlasma Windows Zero-Days
Researcher Drops YellowKey, GreenPlasma Windows Zero-Days
https://www.securityweek.com/researcher-drops-yellowkey-greenplasma-windows-zero-days/
Publish Date: 2026-05-14 03:27:00
Source Domain: www.securityweek.com
A disgruntled security researcher this week publicly disclosed two zero-day vulnerabilities in Windows that enable BitLocker bypass and privilege escalation.
BitLocker, Windows’ built-in full-volume encryption feature, relies on TPM (Trusted Platform Module) to deliver hardware-based security, protecting users’ data from unauthorized access if the device is stolen or lost.
On Tuesday, a cybersecurity researcher known as Chaotic Eclipse and Nightmare Eclipse published proof-of-concept (PoC) code that allows an attacker with physical access to a machine running Windows 11 to bypass BitLocker and gain unrestricted access to the storage volume. The exploit has been dubbed YellowKey.
This is not the first time Chaotic Eclipse has disclosed unpatched vulnerabilities in Microsoft products, and the researcher previously suggested they are displeased with the tech giant’s handling of vulnerability reports.
According to the researcher, the underlying issue for YellowKey is a well-hidden vulnerability without an explicit root cause, and could be a backdoor intentionally planted into BitLocker.
The researcher’s exploit chain begins with copying a PoC folder to a USB drive and plugging it into a Windows machine that has BitLocker on, albeit copying the files to the EFI partition could do the trick without the removable drive.
Next, one would need to reboot the device to Windows Recovery Environment (WinRE) by holding the Shift key while clicking ‘Restart’, then immediately release Shift and press and hold the Ctrl key until a command prompt window spawns, providing access to the protected volume.
“Now, why would I say this is a backdoor? The component that is responsible for this bug is not present anywhere (even on the internet) except inside WinRE image, and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal Windows…
