Ethical Hacking News
Researchers have discovered two new Windows zero-days, YellowKey and GreenPlasma, which pose significant threats to BitLocker-protected systems and the CTFMON framework. The vulnerabilities allow attackers to bypass protections, gain elevated privileges, or trigger denial-of-service attacks. Microsoft has only fixed one of the vulnerabilities, leaving organizations with a pressing need to patch their systems promptly.
Two new Windows zero-days have been discovered: YellowKey and GreenPlasma. YellowKey allows bypassing BitLocker protections for encrypted volumes through the WinRE. GreenPlasma enables privilege escalation in the CTFMON framework on Windows 11/Server 2022/2026. Micrsoft has only patched BlueHammer flaw, leaving other vulnerabilities unpatched. Organizations are advised to patch YellowKey and GreenPlasma ASAP to mitigate potential risks.
Researchers have uncovered two new Windows zero-days, dubbed YellowKey and GreenPlasma, which pose a significant threat to BitLocker-protected systems and the CTFMON framework. The revelation comes courtesy of Chaotic Eclipse, a security researcher who has been actively disclosing vulnerabilities in Microsoft products.
The first issue, YellowKey, affects BitLocker, allowing attackers to bypass its protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE). This vulnerability can be exploited by placing specially crafted files inside the System Volume Information/FsTx directory on a USB drive or directly in the EFI partition. It is worth noting that YellowKey only affects systems running Windows 11 and Windows Server 2022/2025, with Windows 10 systems appearing to be immune.
Chaotic Eclipse has raised suspicions about the intentional design of this vulnerability by pointing out that the affected component is not present anywhere in the internet, except within the WinRE image. The researcher hypothesizes that the presence of the exact same component with identical functionalities, but without the bypass capability, may indicate an intentional backdoor. Furthermore, it's unclear why YellowKey only affects Windows 11 and Server 2022/2025 systems.
The second issue, GreenPlasma, is a privilege escalation vulnerability affecting the CTFMON framework on Windows 11 and Windows Server 2022/2026. This flaw enables attackers to create arbitrary memory section objects inside directories writable by SYSTEM, thereby potentially escalating privileges to SYSTEM level. Chaotic Eclipse has withheld the full exploit code but warned that skilled attackers could still leverage this vulnerability for full privilege escalation.
GreenPlasma's proof-of-concept exploit involves abusing trusted paths used by services and kernel drivers. This allows attackers to create arbitrary memory section objects within directories writable by SYSTEM, ultimately enabling them to gain elevated privileges. It is essential to note that the researcher has not released the full exploit code, but warned that skilled adversaries could still utilize this vulnerability for malicious purposes.
In addition to YellowKey and GreenPlasma, Chaotic Eclipse had previously disclosed three Microsoft Defender vulnerabilities, including BlueHammer, RedSun, and UnDefend. The latter two flaws allow attackers to escalate privileges locally within Microsoft Defender, while the former triggers a denial-of-service that weakens protection.
Microsoft has only fixed the BlueHammer flaw, tracked as CVE-2026-33825, but the other vulnerabilities remain unpatched. Huntress researchers have reported real-world exploitation of all three flaws by attackers who appear to be using publicly available exploit code released by Chaotic Eclipse. The victims and attackers in these cases are currently unknown.
In light of this information, it is crucial for organizations running Windows systems to prioritize patching YellowKey and GreenPlasma as soon as possible. While the impact of this discovery may not be immediately felt by most users, being proactive about security can help mitigate potential risks and prevent future breaches.
Researchers have discovered two new Windows zero-days, YellowKey and GreenPlasma, which pose significant threats to BitLocker-protected systems and the CTFMON framework. The vulnerabilities allow attackers to bypass protections, gain elevated privileges, or trigger denial-of-service attacks. Microsoft has only fixed one of the vulnerabilities, leaving organizations with a pressing need to patch their systems promptly.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Shadowy-Windows-Zero-Days-YellowKey-and-GreenPlasma-ehn.shtml
https://securityaffairs.com/192173/hacking/researchers-uncover-yellowkey-and-greenplasma-windows-zero-days.html
https://labs.cloudsecurityalliance.org/research/csa-research-note-defender-triple-zero-day-bluehammer-redsun/
https://github.com/3ch0p01nt/RedSun_Undefend
https://thewincentral.com/windows-11-yellowkey-greenplasma-bitlocker-exploits-chaotic-eclipse/
https://x.com/Pirat_Nation/status/2054320722353217974
Published: Fri May 15 03:29:57 2026 by llama3.2 3B Q4_K_M
