An anonymous cybersecurity researcher, known online as Chaotic Eclipse and Nightmare-Eclipse, has revealed two new zero-day vulnerabilities after previously disclosing three **Microsoft Defender** flaws. The new vulnerabilities, named **YellowKey** and **GreenPlasma**, pose significant risks to **Windows** systems. ### YellowKey: BitLocker Bypass **YellowKey**, described by the researcher as "one of the most insane discoveries I ever found," is a **BitLocker** bypass vulnerability affecting **Windows 11** and **Windows Server 2022/2025**. This vulnerability resides within the **Windows Recovery Environment (WinRE)**. The attack involves copying crafted "FsTx" files to a USB drive or the EFI partition. Booting the target **Windows** computer (with **BitLocker** enabled) into **WinRE** and triggering a shell (by holding CTRL) allows the bypass. The researcher noted, "I think it will take a while even for **MSRC** to find the real root cause of the issue... Second thing is, no, TPM+PIN does not help, the issue is still exploitable regardless." Security researcher Will Dormann confirmed the exploit, stating, "I was able to reproduce [YellowKey] with a USB drive attached... it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with **BitLocker** unlocked instead of the expected **Windows Recovery** environment." Dormann further highlighted that the ability of a `\System Volume Information\FsTx` directory on one volume to modify another volume's contents is a vulnerability in itself. ### GreenPlasma: Privilege Escalation The second vulnerability, **GreenPlasma**, is a privilege escalation that can lead to obtaining a shell with SYSTEM permissions. It stems from **Windows CTFMON** arbitrary section creation. The proof-of-concept (PoC) released is incomplete. However, it demonstrates that an unprivileged user can create arbitrary memory section objects within directory objects writable by SYSTEM. This could enable the manipulation of privileged services or drivers that trust these paths. ### Background: Previous Disclosures and Microsoft's Response These disclosures follow the researcher's previous publication of three **Microsoft Defender** zero-days (**BlueHammer**, **RedSun**, and **UnDefend**), reportedly due to dissatisfaction with **Microsoft's** vulnerability handling. **BlueHammer** was assigned **CVE-2026-33825** and patched, but the researcher claims **RedSun** was addressed "silently" without an advisory. The researcher has warned of a "big surprise" for **Microsoft** coinciding with the next Patch Tuesday in June 2026. A **Microsoft** spokesperson previously stated that the company is committed to investigating reported security issues and supports coordinated vulnerability disclosure. ### BitLocker Downgrade Attack In related news, **Intrinsec**, a French cybersecurity company, detailed a **BitLocker** attack chain leveraging boot manager downgrade by exploiting **CVE-2025-48804** to bypass encryption on fully patched **Windows 11** systems in under five minutes. The attack involves loading a vulnerable boot manager version (`bootmgfw.efi`) signed with the trusted PCA 2011 certificate to bypass **BitLocker** safeguards. This allows booting from a second WIM image containing a WinRE image infected with `cmd.exe`. While **Microsoft** released fixes in July 2025, the issue persists because Secure Boot only verifies a binary's signing certificate, not its version. **Microsoft** plans to retire the old PCA 2011 certificates next month. Until revoked, even old, vulnerable boot managers can be loaded without triggering alerts. To mitigate these risks, enabling a **BitLocker PIN** at startup for preboot authentication and migrating the boot manager to the CA 2023 certificate while revoking the old PCA 2011 certificate is crucial.