Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

Summary

A researcher known as Chaotic Eclipse has disclosed two new Windows zero-day vulnerabilities affecting Windows 11 and Windows Server 2022/2025. YellowKey is a BitLocker bypass in the Windows Recovery Environment (WinRE) that allows an attacker with USB access to unlock encrypted drives by manipulating Transactional NTFS files. GreenPlasma is a privilege escalation via Windows CTFMON arbitrary section creation that enables unprivileged users to obtain SYSTEM-level permissions.

Full text

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation Ravie LakshmananMay 14, 2026Zero-Day / Vulnerability An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON). The security defects have been codenamed YellowKey and GreenPlasma, respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse. The researcher described YellowKey as "one of the most insane discoveries I ever found," likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment (WinRE), a built-in framework designed to troubleshoot and repair common unbootable operating system issues. YellowKey affects Windows 11 and Windows Server 2022/2025. At a high level, it involves copying specially crafted "FsTx" files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key. "I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden," the researcher explained. "Second thing is, no, TPM+PIN does not help, the issue is still exploitable regardless." Security researcher Will Dormann, in a post shared on Mastodon, said, "I was able to reproduce [YellowKey] with a USB drive attached," adding, "it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment." "While the TPM-only BitLocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed," Dormann pointed out. "To me, this in and of itself sounds like a vulnerability." The second vulnerability flagged by Chaotic Eclipse is a case of privilege escalation security that could be exploited to obtain a shell with SYSTEM permissions. It arises as a result of what has been described as Windows CTFMON arbitrary section creation. The released proof-of-concept (PoC) is incomplete and lacks the necessary code to obtain a full SYSTEM shell. In its current form, the exploit can allow an unprivileged user to create arbitrary memory section objects within directory objects writable by SYSTEM, potentially enabling manipulation of privileged services or drivers that implicitly trust those paths, as a standard user does not have write access to the locations. The development comes nearly a month after the researcher published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft's handling of the vulnerability disclosure process. The shortcomings have since come under active exploitation in the wild. While BlueHammer was officially assigned the identifier CVE-2026-33825 and patched by Microsoft last month, Chaotic Eclipse said the tech giant appears to have "silently" addressed RedSun without issuing any advisory. "I hope you at least attempt to resolve the situation responsibly, I'm not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer," the researcher said. "The fire will go as long as you want, unless you extinguish it or until there nothing left to burn." Chaotic Eclipse also promised a "big surprise" for Microsoft, coinciding with the next Patch Tuesday release in June 2026. When reached for comment, a Microsoft spokesperson had previously told The Hacker News that it "has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," and that it supports coordinated vulnerability disclosure, which the company said "helps ensure issues are carefully investigated and addressed before public disclosure." BitLocker Downgrade Attack Uncovered The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes. "The principle is as follows: the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM," Intrinsec said. "However, when a second WIM is added to the SDI with a modified blob table, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (controlled by the attacker). This second WIM contains a WinRE image infected with 'cmd.exe,' which executes with the decrypted BitLocker volume." While fixes released by Microsoft in July 2025 plugged this security defect in July 2025, security researcher Cassius Garat said the problem lies in the fact that Secure Boot only verifies a binary's signing certificate, not its version. As a result, a vulnerable version of "bootmgfw.efi" that does not contain the patch and is signed with the trusted PCA 2011 certificate can be used to get around BitLocker safeguards. It's worth noting that Microsoft plans to retire the old PCA 2011 certificates next month. "And as long as it is not revoked, even an old, vulnerable boot manager can be loaded without triggering an alert," Intrinsec noted. To pull off the attack, a bad actor needs to have physical access to the target machine. To counter the risk, it's essential to enable a BitLocker PIN at startup for preboot authentication and migrate the boot manager to the CA 2023 certificate and revoke the old PCA 2011 certificate. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  BitLocker, cybersecurity, Microsoft, privilege escalation, Secure Boot, Vulnerability, Windows, Zero-Day ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage

Indicators of Compromise

• cve — CVE-2026-33825

Entities