Full Report
Two novel Windows zero-day vulnerabilities dubbed YellowKey, which bypasses BitLocker drive encryption, and GreenPlasma, a local privilege escalation bug that targets a trusted Windows process called CTFMON, were recently publicly released. Nightmare-Eclipse (aka Chaotic Eclipse), a researcher who grew frustrated with Microsoft’s bug-reporting process, dropped both vulnerabilities simultaneously on GitHub, keeping true to his intent of releasing Windows vulnerabilities in waves.
Analysis Summary
# Vulnerability: YellowKey BitLocker Bypass
## CVE Details
- **CVE ID**: Pending/Not yet assigned by Microsoft (Zero-day)
- **CVSS Score**: N/A (Estimated High/Critical for physical access scenarios)
- **CWE**: CWE-288: Authentication Bypass Using an Alternate Path
## Affected Systems
- **Products**: Microsoft Windows
- **Versions**: Windows 11 and Windows Server 2025
- **Configurations**: Systems with BitLocker Drive Encryption enabled and Windows Recovery Environment (WinRE) accessible.
## Vulnerability Description
YellowKey targets a weakness in how the Windows Recovery Environment (WinRE) handles volumes protected by BitLocker. It exploits a "behavioral trust assumption" within the recovery interface. By entering a specific key combination during the pre-boot recovery sequence, an attacker can trigger a flaw that spawns an unrestricted command shell. This shell provides full access to the encrypted volume, bypassing the requirement for a BitLocker recovery key or user credentials.
## Exploitation
- **Status**: PoC available (Released on GitHub); actively deemed an "active threat."
- **Complexity**: Low
- **Attack Vector**: Physical (Requires physical access and a USB device)
## Impact
- **Confidentiality**: Total (Full access to all data on the encrypted drive)
- **Integrity**: High (Ability to modify system files and data at rest)
- **Availability**: High (Ability to delete data or render the system unbootable)
---
# Vulnerability: GreenPlasma Local Privilege Escalation
## CVE Details
- **CVE ID**: Pending/Not yet assigned by Microsoft (Zero-day)
- **CVSS Score**: N/A (Estimated High for LPE)
- **CWE**: CWE-269: Improper Privilege Management
## Affected Systems
- **Products**: Microsoft Windows
- **Versions**: All versions utilizing CTFMON (Current Windows builds)
- **Configurations**: Standard Windows installations
## Vulnerability Description
GreenPlasma is a Local Privilege Escalation (LPE) bug targeting the `CTFMON.exe` process (the Windows Text Input Management service). The flaw involves the exploitation of the CTFMON object by establishing an attacker-controlled memory section. This allows a low-privileged user to execute code with full SYSTEM-level privileges without requiring administrative rights or credentials.
## Exploitation
- **Status**: PoC available (Released on GitHub); Likely integration by APT/Ransomware groups.
- **Complexity**: Medium
- **Attack Vector**: Local
## Impact
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
- **Note**: Full system takeover from a limited user account.
---
# Remediation & Detection (Combined)
## Remediation
### Patches
- **As of May 19, 2026**: No patches are currently available from Microsoft for YellowKey or GreenPlasma.
### Workarounds
- **YellowKey**:
- Disable the Windows Recovery Environment (WinRE) to prevent pre-boot access.
- Implement strict physical security and disable booting from USB in BIOS/UEFI.
- Set a BIOS/UEFI password to prevent unauthorized boot sequence changes.
- **GreenPlasma**:
- Restrict execution of unauthorized binaries using AppLocker or Windows Defender Application Control (WDAC).
- Implement EDR (Endpoint Detection and Response) to monitor for suspicious child processes spawning from `ctfmon.exe`.
## Detection
- **Indicators of Compromise (IoCs)**:
- GitHub Repositories: `github[.]com/Nightmare-Eclipse/*`
- Presence of "BeigeBurrow" or `agent.exe` tunneling tools.
- Suspicious VPN authentication patterns (notably Russia-geolocated IPs).
- **Detection Methods**:
- Monitor for unexpected command shells (`cmd.exe` or `powershell.exe`) originating during the boot phase or from `ctfmon.exe`.
- Audit WinRE status changes across the fleet.
## References
- **Researcher Intent**: [https://deadeclipse666[.]blogspot[.]com/2026/04/public-disclosure-response-for-cve-2026.html]
- **Vendor Advisory**: No official Microsoft advisory issued at the time of the report.
- **Source Article**: [https://www[.]levelblue[.]com/blogs/spiderlabs-blog/yellowkey-and-greenplasma-two-new-windows-zero-days-unveiled]