### Unpatched Windows Flaws Exposed **Chaotic Eclipse**, also known as Nightmare Eclipse, has disclosed details and PoCs for two new zero-day vulnerabilities affecting **Windows**: YellowKey and GreenPlasma. This follows the researcher's previous disclosures of BlueHammer (**CVE-2026-33825**) and RedSun, both local privilege escalation (LPE) flaws that were reportedly exploited in the wild shortly after being publicized. The researcher has stated that the decision to release the YellowKey and GreenPlasma vulnerabilities stems from frustration with **Microsoft's** response to reported bugs. They have also indicated plans to continue releasing exploits for undocumented **Windows** vulnerabilities, teasing a "big surprise" for the next Patch Tuesday. ### YellowKey: BitLocker Bypass Details YellowKey, a **BitLocker** bypass, impacts **Windows 11** and **Windows Server 2022/2025**. The exploit involves placing specially crafted 'FsTx' files on a USB drive or EFI partition, rebooting into **WinRE** (Windows Recovery Environment), and triggering a shell by holding down the CTRL key. According to Chaotic Eclipse, this grants unrestricted access to the storage volume protected by **BitLocker**. Independent security researcher **Kevin Beaumont** has validated the YellowKey exploit, suggesting using a **BitLocker** PIN and a BIOS password as mitigation. Chaotic Eclipse has also stated that the core vulnerability is exploitable even in TPM (Trusted Platform Module) and PIN environments, although a PoC for this scenario has not been released. **Will Dormann**, principal vulnerability analyst at Tharros Labs, confirmed the exploit's functionality using FsTx files on a USB drive. He explained that YellowKey leverages NTFS transactions in combination with the **Windows Recovery** image, ultimately leading to a command prompt with the disk unlocked. Dormann clarified the exploit process, explaining that to boot Windows Recovery, "Windows looks for \System Volume Information\FsTx directories on attached drives, and will replay any NTFS logs." "The result of this is that the X:\Windows\System32\winpeshl.ini is deleted, and when Windows Recovery is entered, rather than launching the actual Windows Recovery environment, it pops up a CMD.EXE. With the disk still unlocked" - Will Dormann By default, TPM-only **BitLocker** configurations automatically unlock encrypted drives. YellowKey exploits this auto-unlock feature, allowing access to disks protected with TPM-only **BitLocker** without requiring credentials. ### GreenPlasma: Privilege Escalation Exploit GreenPlasma is a privilege escalation vulnerability that can be exploited to obtain a shell with SYSTEM permissions. Chaotic Eclipse describes it as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability." An unprivileged user can create arbitrary memory-section objects within directory objects writable by SYSTEM, potentially allowing manipulation of privileged services or drivers that trust those locations.  *GreenPlasma demo. Source: GitHub* The leaked PoC is currently incomplete, lacking the component needed for a full SYSTEM shell. However, Chaotic Eclipse suggests that skilled individuals can leverage it for complete privilege escalation, manipulating data and various services, including kernel-mode drivers. The researcher has also criticized **Microsoft** for silently patching the RedSun vulnerability without assigning an identifier, similar to the case with BlueHammer. **Microsoft** has stated that they are committed to investigating reported security issues and updating impacted devices to protect customers. They also emphasized their support for coordinated vulnerability disclosure.