The anonymous cybersecurity researcher who disclosed three vulnerabilities in Microsoft Defender is back with two more zero-days involving BitLocker bypass and privilege escalation affecting Windows Collaborative Translation Framework (CTFMON).
The security flaws have been codenamed YellowKey and GreenPlasma by researchers operating under the online aliases Chaotic Eclipse and Nightmare-Eclipse, respectively.
The researcher described YellowKey as “one of the most insane discoveries I’ve ever made,” likening it to BitLocker bypass acting as a backdoor. This bug exists only in Windows Recovery Environment (WinRE). Windows Recovery Environment (WinRE) is a built-in framework designed to troubleshoot and repair common unbootable operating system problems.
YellowKey affects Windows 11 and Windows Server 2022/2025. At a high level, this involves copying a specially crafted “FsTx” file to a USB drive or EFI partition, turning on BitLocker protection, connecting the USB drive to a targeted Windows computer, restarting WinRE, and booting a shell while holding down the CTRL key.
“I think it will take even MSRC some time to find the real root cause of the problem. We could never understand why this vulnerability was so well hidden,” the researcher explained. “Secondly, no, TPM+PIN is useless. The problem is still exploitable.”
“I was able to reproduce it,” security researcher Will Dorman said in a post shared on Mastodon. [YellowKey] It added that if a USB drive is connected, “the transactional NTFS bit on the USB drive appears to allow deletion of the winpeshl.ini file on another drive (X:).” And instead of the expected Windows recovery environment, the cmd.exe prompt appears with BitLocker unlocked. ”
“While TPM-only BitLocker bypass is certainly interesting, I think the hidden issue here is that the \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume during playback,” Dormann noted. “To me, this seems like a vulnerability in itself.”
The second vulnerability reported by Chaotic Eclipse is a privilege escalation security issue that can be exploited to obtain a shell with SYSTEM privileges. This occurs as a result of what is described as arbitrary section creation in Windows CTFMON.
The released proof of concept (PoC) is incomplete and lacks the code necessary to obtain a complete SYSTEM shell. In its current form, this exploit allows an unprivileged user to create arbitrary memory section objects in directory objects that are writable by SYSTEM, potentially allowing the operation of privileged services or drivers that implicitly trust these paths, since standard users do not have write access to those locations.
The development comes nearly a month after the researcher published three Defender zero-days called BlueHammer, RedSun, and UnDefend, citing frustration with the handling of Microsoft’s vulnerability disclosure process. This shortcoming has since been actively exploited in practice.
Although BlueHammer was officially assigned the identifier CVE-2026-33825 and patched by Microsoft last month, Chaotic Eclipse said the tech giant appears to have “silently” addressed RedSun without issuing an advisory.
“I hope you at least try to resolve the situation responsibly, but I’m not sure what kind of reaction you expected from me when you added more fuel to the fire after the blue hammer,” the researcher said. “The fire will burn for as long as you want it to, until you put it out or there is nothing left to burn.”
Chaotic Eclipse also promised a “big surprise” for Microsoft in time for the next Patch Tuesday release in June 2026.
When asked for comment, a Microsoft spokesperson previously told The Hacker News that “there is a commitment from our customers that we investigate reported security issues and update affected devices as quickly as possible to protect our customers,” adding that the company supports coordinated vulnerability disclosure and that the company “helps ensure that issues are carefully investigated and addressed before going public.”
BitLocker downgrade attack discovered
The development comes as French cybersecurity company Intrinsec details an attack chain against BitLocker that exploits CVE-2025-48804 (CVSS score: 6.8) to leverage a boot manager downgrade to bypass cryptographic protections on a fully patched Windows 11 system within five minutes.
“The principle is as follows: The boot manager loads the system deployment image (SDI) file and the WIM it references and verifies the integrity of the legitimate WIM,” Intrinsec said.
“However, when a second WIM with a modified blob table is added to SDI, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (attacker-controlled) WIM. This second WIM contains a WinRE image infected with ‘cmd.exe’ that runs on the decrypted BitLocker volume.
A patch released by Microsoft resolved this security flaw in July 2025, but security researcher Cassius Garat said the problem lies in the fact that Secure Boot only verifies the signing certificate, not the version of the binary. As a result, it is possible to bypass BitLocker safeguards using a vulnerable version of ‘bootmgfw.efi’ that does not include the patch and is signed with a trusted PCA 2011 certificate.
It’s worth noting that Microsoft plans to retire the old PCA 2011 certificate next month. “And unless revoked, even old and vulnerable boot managers can load without triggering alerts,” Intrinsec said. To carry out an attack, the attacker must have physical access to the target machine.
To combat this risk, it is important to enable BitLocker PIN for pre-boot authentication at boot time, migrate the boot manager to CA 2023 certificates, and revoke old PCA 2011 certificates.
Source link
