Full Report
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON). The security defects have been codenamed YellowKey and GreenPlasma, respectively, by the researcher, who goes by the online aliases Chaotic Eclipse
Analysis Summary
# Vulnerability: YellowKey (BitLocker Bypass) and GreenPlasma (CTFMON LPE)
## CVE Details
- **CVE ID**: Pending/Not yet assigned by Microsoft (Researcher disclosed as Zero-Day).
- **CVSS Score**: Estimated 7.0 - 8.0+ (High/Critical depending on physical access vs. impact).
- **CWE**:
- YellowKey: CWE-287 (Improper Authentication) / CWE-642 (External Control of Critical State Data).
- GreenPlasma: CWE-269 (Improper Privilege Management).
## Affected Systems
- **Products**: Microsoft Windows.
- **Versions**: Windows 11, Windows Server 2022, and Windows Server 2025.
- **Configurations**:
- **YellowKey**: Systems with BitLocker enabled, utilizing the Windows Recovery Environment (WinRE). Note: TPM+PIN configurations do **not** prevent this bypass.
- **GreenPlasma**: Systems running the Windows Collaborative Translation Framework (CTFMON).
## Vulnerability Description
**YellowKey (BitLocker Bypass):**
The flaw resides in how the Windows Recovery Environment (WinRE) handles Transactional NTFS (FsTx) files. An attacker can use specially crafted files on an external USB or EFI partition. When the system reboots into WinRE, the FsTx replay mechanism on the external drive can be used to manipulate or delete critical files (such as `winpeshl.ini`) on the protected system drive (X:). By holding the CTRL key during this process, the system drops to a `cmd.exe` prompt with the BitLocker partition fully unlocked, bypassing the expected recovery security.
**GreenPlasma (Privilege Escalation):**
This involves an "arbitrary section creation" bug within the Windows CTFMON. It allows an unprivileged user to create memory section objects inside directory objects that are normally only writable by the SYSTEM account. This can be used to manipulate privileged services or drivers that trust those specific memory paths.
## Exploitation
- **Status**: PoC available (YellowKey is fully reproducible; GreenPlasma PoC is currently "incomplete" but demonstrates the primitive).
- **Complexity**:
- YellowKey: Medium (Requires specific file placement and timing).
- GreenPlasma: Medium.
- **Attack Vector**:
- YellowKey: Physical (Requires USB access/reboot).
- GreenPlasma: Local (Requires existing low-privilege access).
## Impact
- **Confidentiality**: High (YellowKey grants full access to encrypted data).
- **Integrity**: High (GreenPlasma allows for SYSTEM shell acquisition and system-level changes).
- **Availability**: High.
## Remediation
### Patches
- **YellowKey**: No official patch available as of May 14, 2026.
- **GreenPlasma**: No official patch available.
*(Note: Microsoft reportedly "silently" patched related vulnerabilities from this researcher in the past, but these specific issues remain zero-days.)*
### Workarounds
- **YellowKey**: Disable the Windows Recovery Environment (WinRE) using the command `reagentc /disable`.
- **GreenPlasma**: Restrict local user access and monitor for unusual child processes spawning from `ctfmon.exe`.
## Detection
- **Indicators of Compromise**: Presence of unexpected `FsTx` directories in `\System Volume Information\` on external volumes. Evidence of `winpeshl.ini` modification or deletion in WinRE logs.
- **Detection Methods**: Monitor for unauthorized physical access or unexpected reboots into Recovery Mode. Use EDR to flag `ctfmon.exe` attempting to create section objects in SYSTEM-protected directories.
## References
- **Researcher Blog**: hxxps[://]deadeclipse666[.]blogspot[.]com/2026/05/two-more-public-disclosures-it-will.html
- **YellowKey PoC**: hxxps[://]github[.]com/Nightmare-Eclipse/YellowKey
- **GreenPlasma PoC**: hxxps[://]github[.]com/Nightmare-Eclipse/GreenPlasma
- **Technical Commentary**: hxxps[://]infosec[.]exchange/@wdormann/116565129854382214