{"id":246933,"date":"2026-05-14T05:25:00","date_gmt":"2026-05-14T09:25:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/windows-zero-days-expose-bitlocker-bypasses-and-ctfmon-privilege-escalation\/"},"modified":"2026-05-15T19:20:07","modified_gmt":"2026-05-15T23:20:07","slug":"windows-zero-days-expose-bitlocker-bypasses-and-ctfmon-privilege-escalation","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/windows-zero-days-expose-bitlocker-bypasses-and-ctfmon-privilege-escalation\/","title":{"rendered":"Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-zero-days-expose-bitlocker.html\">Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-zero-days-expose-bitlocker.html\">https:\/\/thehackernews.com\/2026\/05\/windows-zero-days-expose-bitlocker.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-14 05:25:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).<\/p>\n<p>The security defects have been codenamed <strong>YellowKey<\/strong> and <strong>GreenPlasma<\/strong>, respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse.<\/p>\n<p>The researcher described YellowKey as &#8220;one of the most insane discoveries I ever found,&#8221; likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment (WinRE), a built-in framework designed to troubleshoot and repair common unbootable operating system issues.<\/p>\n<p>YellowKey affects Windows 11 and Windows Server 2022\/2025. At a high level, it involves copying specially crafted &#8220;FsTx&#8221; files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.<\/p>\n<p>&#8220;I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden,&#8221; the researcher explained. &#8220;Second thing is, no, TPM+PIN does not help, the issue is still exploitable regardless.&#8221;<\/p>\n<p>Security researcher Will Dormann, in a post shared on Mastodon, said, &#8220;I was able to reproduce [YellowKey] with a USB drive attached,&#8221; adding, &#8220;it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.&#8221;<\/p>\n<p>&#8220;While the TPM-only BitLocker bypass is indeed interesting, I think the buried lede here is that a System Volume InformationFsTx directory on one volume has the ability to modify the contents of another volume when it is replayed,&#8221; Dormann pointed out. &#8220;To me, this&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-zero-days-expose-bitlocker.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation https:\/\/thehackernews.com\/2026\/05\/windows-zero-days-expose-bitlocker.html Publish Date: 2026-05-14 05:25:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":246934,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgXt7ooDl2PwJY4nazAKdW9rmILsmosve2FZaO9usxTk_rkksEEvsLgY-uc_MErXvjvusuWjN7PWRM9KaRXB1OkL75gio7tcqpMsPZxaFNE9XDpYmARH3Dw_gGgddwWXHSt5VUJ-lb56F9bCVzTYghEo7qELWVv8K_W8V1BrWgssgqWkzPJxW6I31i_GyYf\/s1600\/windowss.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-246933","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/246933"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=246933"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/246933\/revisions"}],"predecessor-version":[{"id":246936,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/246933\/revisions\/246936"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/246934"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=246933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=246933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=246933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}