Ethical Hacking News
Two new zero-day vulnerabilities, codenamed YellowKey and GreenPlasma, have been discovered in Microsoft Defender, threatening the security of Windows 11 systems. The vulnerabilities allow for a backdoor bypass and privilege escalation, raising concerns about the handling of vulnerability disclosure by Microsoft.
Two zero-day vulnerabilities (YellowKey and GreenPlasma) have been discovered in Microsoft Defender.The vulnerabilities allow for a backdoor bypass and privilege escalation, posing a significant threat to Windows 11 systems.The researcher, Chaotic Eclipse, has expressed dissatisfaction with Microsoft's handling of vulnerability disclosure.A new attack chain has been detailed against BitLocker that leverages a boot manager downgrade to bypass encryption protections on fully patched Windows 11 systems.
A new era of vulnerability has emerged, threatening the very foundations of cybersecurity. In a move that has sent shockwaves throughout the industry, an anonymous researcher known only by their handle "Chaotic Eclipse" has disclosed not one, but two zero-day vulnerabilities in Microsoft Defender, codenamed YellowKey and GreenPlasma. These revelations have left security experts scrambling to understand the severity of the issue and how it can be exploited.
At its core, YellowKey appears to be a backdoor vulnerability, allowing an attacker to bypass BitLocker protections on Windows 11 systems by copying specially crafted "FsTx" files onto a USB drive or the EFI partition. The researcher, who has been vocal about their dissatisfaction with Microsoft's handling of vulnerability disclosure, has likened this bug to being "one of the most insane discoveries I ever found." This assertion is supported by security expert Will Dormann, who was able to reproduce the exploit using a USB drive attached to the target machine.
According to Dormann, the vulnerability arises from a flawed transactional NTFS mechanism that allows an attacker to delete the winpeshl.ini file on another drive, effectively bypassing BitLocker protections. This mechanism can be exploited by an unprivileged user to create arbitrary memory section objects within directory objects writable by SYSTEM, potentially enabling manipulation of privileged services or drivers.
The implications of this vulnerability are far-reaching, with experts warning that it could be used to obtain a shell with SYSTEM permissions, allowing an attacker to access sensitive areas of the system. However, the researcher has emphasized that the issue lies not in the existence of the vulnerability itself, but rather in the way Microsoft has chosen to handle its disclosure.
The researcher's dissatisfaction with Microsoft's handling of vulnerability disclosure came to a head earlier this month, when they published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend. While these vulnerabilities have been officially assigned CVE numbers and patched by Microsoft, Chaotic Eclipse has expressed disappointment that the tech giant appears to have "silently" addressed RedSun without issuing any advisory.
In a statement posted on Mastodon, Dormann warned that he hopes Microsoft will take steps to address the situation responsibly, adding that "the fire will go as long as you want, unless you extinguish it or until there nothing left to burn." Chaotic Eclipse has also promised a "big surprise" for Microsoft, coinciding with the next Patch Tuesday release in June 2026.
Meanwhile, French cybersecurity company Intrinsec has detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass encryption protections on fully patched Windows 11 systems. The attack chain involves the use of a vulnerable version of "bootmgfw.efi" that does not contain a patch and is signed with an old PCA 2011 certificate, which can be used to get around BitLocker safeguards.
The security landscape continues to evolve at breakneck speed, with new vulnerabilities emerging every day. As cybersecurity experts and researchers scramble to understand the implications of these revelations, one thing is clear: the stakes have never been higher. In a world where vulnerability disclosure has become a lightning rod for controversy, it remains to be seen whether Microsoft will take steps to address its handling of vulnerability disclosure or if Chaotic Eclipse's "big surprise" will come to pass.
Two new zero-day vulnerabilities, codenamed YellowKey and GreenPlasma, have been discovered in Microsoft Defender, threatening the security of Windows 11 systems. The vulnerabilities allow for a backdoor bypass and privilege escalation, raising concerns about the handling of vulnerability disclosure by Microsoft.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shadowy-World-of-Cybersecurity-Vulnerabilities-A-Deep-Dive-into-YellowKey-and-GreenPlasma-ehn.shtml
https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html
Published: Thu May 14 06:35:35 2026 by llama3.2 3B Q4_K_M
