INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Windows Zero-Days Expose BitLocker Bypasses

| 2026-05-14 09:25 CRITICAL HIGH
JSON
Executive Summary AI-generated
The recent incident data reveals a sophisticated attack exploiting vulnerabilities in Windows, specifically the BitLocker bypass and privilege escalation capabilities. The researcher behind this discovery has returned with two more zero-days involving these same tactics, affecting multiple Microsoft Defender vulnerabilities. This case highlights the importance of patching systems to prevent exploitation by attackers like Chaotic Eclipse.
Technical Mitigations AI-generated
* Use of Transactional NTFS: Implementing transactional NTFS can help prevent the deletion of sensitive files, such as winpeshl.ini, which is used by BitLocker to store encrypted data. * Implement a secure boot process: Ensuring that the system boots with a trusted and validated operating system can help prevent exploitation of vulnerabilities like YellowKey and GreenPlasma. * Use a secure file system: Using a secure file system, such as Veritas Volume Shadowing or Microsoft's BitLocker-encrypted volume, can provide an additional layer of protection against unauthorized access to protected drives. * Implement a TPM+PIN requirement: Requiring users to use both the Trusted Platform Module (TPM) and a PIN code for encryption can help prevent exploitation of vulnerabilities like YellowKey and GreenPlasma that rely on these security features. * Regularly update and patch systems: Keeping software up-to-date with the latest security patches can help reduce the risk of exploitation by mitigating known vulnerabilities, such as those found in Windows 11 and Server 2022/2025.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-33825CVE-2026-33825 CVE-2025-48804CVE-2025-48804
Target & Sectors
Global Scope
Incident Timeline
‎CA 2023
Threat actors exploited a Windows Zero-Day vulnerability to bypass BitLocker and target systems using the CTFMON privilege escalation tool.
‎July 2025
Threat actors exploited a vulnerability in the Windows boot loader to bypass BitLocker safeguards by using an outdated version of "bootmgfw.efi" signed with a trusted PCA 2011 certificate.
‎2026/04/14
Threat actors used Microsoft's patch for CVE-2026-33825 to bypass Windows Zero-Days.
organisation CVE-2026-33825
While BlueHammer was officially assigned the identifier CVE-2026-33825 and patched by Microsoft last month, Chaotic Eclipse said the tech giant appears to have "silently" addressed RedSun without issuing any advisory.
‎May 12
Threat actors exploited Windows zero-days to bypass BitLocker and used CTFMON privilege escalation techniques.
organisation the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric 14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
‎2026/05/13
Threat actors exploited a Windows Zero-Day vulnerability to bypass BitLocker encryption and escalate privileges in a targeted environment.
organisation Chaotic Eclipse
In an update today, Chaotic Eclipse said that "the real root cause is still not unknown [sic] by the general public" and that the vulnerability is exploitable even in a TPM (Trusted Platform Module) and PIN environment.
‎2022/2025
Threat actors used YellowKey to exploit a Windows Zero-Day vulnerability and bypass the BitLocker encryption system.
infrastructure Windows
YellowKey affects Windows 11 and Windows Server 2022/2025.
The YellowKey BitLocker bypass The researcher says that YellowKey is a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025.
organisation YellowKey
YellowKey affects Windows 11 and Windows Server 2022/2025.
tactic T1584.004 - Server
YellowKey affects Windows 11 and Windows Server 2022/2025.
The YellowKey BitLocker bypass The researcher says that YellowKey is a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025.
general_metric 11 Windows
YellowKey affects Windows 11 and Windows Server 2022/2025.
The YellowKey BitLocker bypass The researcher says that YellowKey is a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025.
‎2026/05/14
The security researcher disclosed two Microsoft Windows vulnerabilities, YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
infrastructure Windows
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation.
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).
The researcher described YellowKey as "one of the most insane discoveries I ever found," likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment ( WinRE ), a built-in framework designed to troubleshoot and repair common unbootable operating system issues.
At a high level, it involves copying specially crafted "FsTx" files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.
It arises as a result of what has been described as Windows CTFMON arbitrary section creation.
Windows BitLocker zero-day gives access to protected drives, PoC released.
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
Chaotic Eclipse, or Nightmare-Eclipse on GitHub, said that they will keep leaking exploits for undocumented Windows vulnerabilities, even promising “a big surprise” for the next Patch Tuesday.
He explained to BleepingComputer that "YellowKey exploits NTFS transactions in combination with the Windows Recovery image.
This PIN prompt happens before Windows Recovery is entered.
" Dormann clarified the exploit process, saying that to boot Windows Recovery, "Windows looks for \System Volume Information\FsTx directories on attached drives, and will replay any NTFS logs.
" "The result of this is that the X:\Windows\System32\winpeshl.ini is deleted, and when Windows Recovery is entered, rather than launching the actual Windows Recovery environment, it pops up a CMD.EXE.
Chaotic Eclipse describes it as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability." An unprivileged user can create arbitrary memory-section objects within directory objects writable by SYSTEM, potentially allowing manipulation of privileged services or drivers that trust those locations.
organisation BitLocker Bypasses
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation.
organisation CTFMON Privilege Escalation
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation.
organisation Microsoft Defender
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).
organisation BitLocker
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
organisation Windows Collaborative Translation Framework
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).
organisation CTFMON
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).
organisation CVE-2026-33825
The latest exploits follow the researcher's previous disclosure of the BlueHammer (CVE-2026-33825) and RedSun (no identifier) local privilege escalation (LPE)  as zero-day flaws, both of which began to be exploited in the wild shortly after being publicly disclosed.
organisation BlueHammer
The latest exploits follow the researcher's previous disclosure of the BlueHammer (CVE-2026-33825) and RedSun (no identifier) local privilege escalation (LPE)  as zero-day flaws, both of which began to be exploited in the wild shortly after being publicly disclosed.
The development comes nearly a month after the researcher published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft's handling of the vulnerability disclosure process.
organisation LPE
The latest exploits follow the researcher's previous disclosure of the BlueHammer (CVE-2026-33825) and RedSun (no identifier) local privilege escalation (LPE)  as zero-day flaws, both of which began to be exploited in the wild shortly after being publicly disclosed.
organisation the Windows Recovery Environment
The researcher described YellowKey as "one of the most insane discoveries I ever found," likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment ( WinRE ), a built-in framework designed to troubleshoot and repair common unbootable operating system issues.
Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
organisation USB
At a high level, it involves copying specially crafted "FsTx" files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
It involves placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
organisation EFI
At a high level, it involves copying specially crafted "FsTx" files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
It involves placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
organisation WinRE
At a high level, it involves copying specially crafted "FsTx" files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
organisation PoC
Windows BitLocker zero-day gives access to protected drives, PoC released.
The released proof-of-concept (PoC) is incomplete and lacks the necessary code to obtain a full SYSTEM shell.
organisation YellowKey
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
organisation GreenPlasma
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
The security defects have been codenamed YellowKey and GreenPlasma , respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse.
organisation Microsoft Windows
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
organisation Nightmare
Chaotic Eclipse, or Nightmare-Eclipse on GitHub, said that they will keep leaking exploits for undocumented Windows vulnerabilities, even promising “a big surprise” for the next Patch Tuesday.
organisation BleepingComputer
He explained to BleepingComputer that "YellowKey exploits NTFS transactions in combination with the Windows Recovery image.
organisation NTFS
He explained to BleepingComputer that "YellowKey exploits NTFS transactions in combination with the Windows Recovery image.
organisation Mastodon
" Security researcher Will Dormann, in a post shared on Mastodon, said, "I was able to reproduce [YellowKey] with a USB drive attached," adding, "it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:).
organisation Transactional NTFS
" Security researcher Will Dormann, in a post shared on Mastodon, said, "I was able to reproduce [YellowKey] with a USB drive attached," adding, "it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:).
organisation Chaotic Eclipse
The security defects have been codenamed YellowKey and GreenPlasma , respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse.
organisation MSRC
"I think it will take a while even for MSRC to find the real root cause of the issue.
organisation RedSun
The development comes nearly a month after the researcher published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft's handling of the vulnerability disclosure process.
Additionally, they said that "Microsoft silently patched the RedSun vulnerability" and criticized the company for the hushed activity and not assigning an identifier for the vulnerability, as was the case with BlueHammer.
organisation Microsoft
The development comes nearly a month after the researcher published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft's handling of the vulnerability disclosure process.
As in previous cases, the researcher stated that the decision to publicly disclose the YellowKey and GreenPlasma vulnerabilities, along with guidance on how to leverage them, was driven by dissatisfaction with Microsoft’s handling of bug reports.
organisation Chaotic/Nightmare Eclipse
According to Chaotic/Nightmare Eclipse, the spawned shell gains unrestricted access to the storage volume protected by BitLocker.
organisation BitLocker PIN
He recommended using a BitLocker PIN and a BIOS password as a mitigation.
organisation Tharros Labs
" Will Dormann, principal vulnerability analyst at Tharros Labs, also confirmed that the YellowKey exploit worked with the FsTx files on a USB drive but could not reproduce the bug using the EFI partition.
organisation FsTx
" Will Dormann, principal vulnerability analyst at Tharros Labs, also confirmed that the YellowKey exploit worked with the FsTx files on a USB drive but could not reproduce the bug using the EFI partition.
organisation Dormann
"YellowKey is an example of an exploit for such a weakness," Dormann said, explaining that because it leverages the auto unlock feature on boot, the current YellowKey exploit does not work in a TMP+PIN environment.
organisation TPM
It is worth noting that testing YellowKey with a BitLocker-protected drive must be performed on the original device, where the TPM  stores the encryption keys.
organisation Chaotic Eclypse's
As such, Chaotic Eclypse's current YellowKey exploit does not work with stolen drives but allows access to disks that are protected with TPM-only BitLocker without needing credentials.
‎June 2026
Chaotic Eclipse exploited a CVE-2025-48804 vulnerability in Windows 11 to downgrade the boot manager and bypass BitLocker encryption.
infrastructure Windows
" BitLocker Downgrade Attack Uncovered The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes.
organisation CVE-2025-48804
" BitLocker Downgrade Attack Uncovered The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes.
organisation Intrinsec
" BitLocker Downgrade Attack Uncovered The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes.
organisation The Hacker News
When reached for comment, a Microsoft spokesperson had previously told The Hacker News that it "has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," and that it supports coordinated vulnerability disclosure, which the company said "helps ensure issues are carefully investigated and addressed before public disclosure.
organisation the System Deployment Image
"The principle is as follows: the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM," Intrinsec said .
organisation WIM
"The principle is as follows: the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM," Intrinsec said .
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation.
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).
The researcher described YellowKey as "one of the most insane discoveries I ever found," likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment ( WinRE ), a built-in framework designed to troubleshoot and repair common unbootable operating system issues.
YellowKey affects Windows 11 and Windows Server 2022/2025.
At a high level, it involves copying specially crafted "FsTx" files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.
It arises as a result of what has been described as Windows CTFMON arbitrary section creation.
" BitLocker Downgrade Attack Uncovered The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes.
Windows BitLocker zero-day gives access to protected drives, PoC released.
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
Chaotic Eclipse, or Nightmare-Eclipse on GitHub, said that they will keep leaking exploits for undocumented Windows vulnerabilities, even promising “a big surprise” for the next Patch Tuesday.
The YellowKey BitLocker bypass The researcher says that YellowKey is a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025.
He explained to BleepingComputer that "YellowKey exploits NTFS transactions in combination with the Windows Recovery image.
This PIN prompt happens before Windows Recovery is entered.
" Dormann clarified the exploit process, saying that to boot Windows Recovery, "Windows looks for \System Volume Information\FsTx directories on attached drives, and will replay any NTFS logs.
" "The result of this is that the X:\Windows\System32\winpeshl.ini is deleted, and when Windows Recovery is entered, rather than launching the actual Windows Recovery environment, it pops up a CMD.EXE.
Chaotic Eclipse describes it as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability." An unprivileged user can create arbitrary memory-section objects within directory objects writable by SYSTEM, potentially allowing manipulation of privileged services or drivers that trust those locations.
Intelligence Sources
BleepingComputer 2026-05-13
The Hacker News 2026-05-14