Full Report
Security pros warn YellowKey claim could make stolen laptops a much bigger problem
Analysis Summary
# Vulnerability: YellowKey (BitLocker Bypass) and GreenPlasma (Privilege Escalation)
## CVE Details
- **CVE ID**: Pending/Not yet assigned (Released as Zero-Days post-May 2026 Patch Tuesday). Note: A related previous bug from this researcher is CVE-2026-32201.
- **CVSS Score**: Estimated 6.8 - 7.5 (Medium/High)
- **CWE**: CWE-287 (Improper Authentication) / CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products**: Microsoft Windows
- **Versions**: Likely all current versions of Windows 10 and 11 utilizing BitLocker and standard User Account Control (UAC).
- **Configurations**:
- **YellowKey**: Systems using BitLocker without a pre-boot PIN.
- **GreenPlasma**: Default Windows configurations where an attacker has obtained an initial foothold but lacks SYSTEM privileges.
## Vulnerability Description
This disclosure covers two distinct flaws leaked by the researcher "Nightmare-Eclipse":
1. **YellowKey**: A BitLocker bypass mechanism. By using a specific key sequence and a prepared USB drive, an attacker can bypass the encryption's "last line of defense" to gain unrestricted shell access to the encrypted drive. The researcher alleges the flaw stems from a Microsoft-injected backdoor, though this remains unverified.
2. **GreenPlasma**: A privilege escalation flaw. It allows an attacker to elevate their permissions to SYSTEM level. Currently, the exploit triggers a UAC consent prompt in default configurations, preventing a completely "silent" execution without further weaponization.
## Exploitation
- **Status**: PoC available (YellowKey provided as ready-to-load USB files; GreenPlasma released as partial exploit code).
- **Complexity**:
- **YellowKey**: Medium (Requires specific hardware and sequence).
- **GreenPlasma**: High (Currently requires further weaponization to bypass UAC silently).
- **Attack Vector**:
- **YellowKey**: Physical.
- **GreenPlasma**: Local.
## Impact
- **Confidentiality**: High (Complete access to encrypted files via YellowKey).
- **Integrity**: High (SYSTEM access via GreenPlasma allows for deep system modification).
- **Availability**: High (Total system control).
## Remediation
### Patches
- **None**: As of the report date, these are active zero-day vulnerabilities. Windows users should monitor upcoming Microsoft Security Updates for official patches.
### Workarounds
- **YellowKey**: Implement a strong **BitLocker PIN** (pre-boot authentication) and a **BIOS/UEFI password lock** to prevent unauthorized USB booting and pre-OS access.
- **GreenPlasma**: No specific software workaround; maintain least-privilege principles and monitor for unusual UAC prompts.
## Detection
- **Indicators of Compromise**:
- Presence of unauthorized USB devices during boot.
- Unexpected UAC (User Account Control) elevation prompts from unknown or suspicious processes.
- **Detection Methods**:
- Monitor for "Nightmare-Eclipse" related tools (RedSun, UnDefend, BlueHammer) which are often bundled in similar campaigns.
- Audit Event Logs for successful/failed privilege elevation attempts.
## References
- Nightmare-Eclipse GitHub: hxxps[://]github[.]com/Nightmare-Eclipse/YellowKey
- Nightmare-Eclipse GitHub: hxxps[://]github[.]com/Nightmare-Eclipse/GreenPlasma
- Huntress Analysis: hxxps[://]www[.]huntress[.]com/blog/nightmare-eclipse-intrusion