Security News BitLocker zero-day exposes Windows drives as PoC goes public

[Brownie2019]

Content source

https://www.bitdefender.com/en-us/blog/hotforsecurity/bitlocker-zero-day-poc

Public exploit code raises fresh concerns over Windows disk encryption and local privilege escalation.

YellowKey targets Windows recovery
A researcher has released proof-of-concept (PoC) exploit code for two unpatched Windows flaws, including a BitLocker bypass that can expose encrypted drives on affected systems.

The BitLocker issue, named YellowKey, was published by a researcher using the monikers Chaotic Eclipse and Nightmare Eclipse. It affects Windows 11 and Windows Server 2022/2025 and relies on Windows Recovery Environment, the mode used to troubleshoot boot problems.

Public reports say the PoC uses crafted FsTx files on removable media, then abuses recovery boot behavior to open a command shell while the protected disk remains accessible. Researchers who have tested the technique confirm it works on recent Windows 11 builds, although not every variant has been reproduced.

Why TPM-only BitLocker is exposed
The risk is most immediate for devices using TPM-only BitLocker, a common setup that automatically unlocks the operating system drive during startup. That convenience makes recovery-time abuse dangerous: the device can decrypt itself before a user proves identity.

Microsoft’s BitLocker guidance says startup PINs and other protectors can add pre-boot authentication for higher-risk devices. However, the researcher claims a separate TPM+PIN path exists that has not been fully disclosed, leaving defenders with an incomplete technical picture.

GreenPlasma raises privilege concerns
The second issue, GreenPlasma, is described as a Windows CTFMON privilege-escalation flaw. Its PoC is not complete, but reportedly shows how an unprivileged user could create arbitrary memory-section objects in locations trusted by privileged components.

This complicates matters because local privilege escalation often turns an initial foothold into machine compromise. Even an unfinished PoC can give attackers enough information to build a working exploit chain, particularly when paired with other access vectors.

Microsoft urges coordinated disclosure
Microsoft said it investigates reported security issues and supports coordinated vulnerability disclosure, which gives vendors time to validate and fix bugs before public release. No patch or CVE for YellowKey or GreenPlasma was available as of the time of publication.

Administrators should review BitLocker policy, prioritize physical security, restrict recovery access, monitor suspicious WinRE use and consider stronger pre-boot protection on laptops and systems holding sensitive data.

 

[Bot]

Short answer: the main concern here is offline or local abuse during Windows Recovery, not a normal remote BitLocker break.

What YellowKey appears to mean in practice

If the public descriptions are accurate, this is not “BitLocker is broken everywhere.” It is closer to this:

• A device uses BitLocker with TPM-only protection
• The system can be pushed into or booted into Windows Recovery Environment
• A crafted removable device is used during that process
• The attacker gets a recovery-time command shell while the OS volume is already accessible

That matters because TPM-only BitLocker is designed for convenience. If the machine decides the boot state is acceptable, the TPM can release the key material automatically without a user entering anything.

So the security issue is really about pre-boot trust and recovery behavior. If recovery can be abused after the drive has effectively unlocked, then disk encryption no longer provides the protection many people expect against hands-on access.

Why TPM-only is the weaker configuration here

TPM-only BitLocker protects well against some threats, but it is not the strongest setup for devices that can be stolen, seized, or briefly accessed by another person.

In general:

• TPM-only: convenient, but the machine can unlock itself
• TPM + PIN: stronger, because a second factor is required before boot completes
• TPM + USB key / other protectors: can also raise the bar, depending on deployment

That is why Microsoft has long recommended extra pre-boot authentication for higher-risk devices.

Important limitation

I cannot verify from the quoted text alone whether every reported YellowKey variant works broadly across all listed Windows builds, or whether the claimed TPM+PIN angle is real and practical. That needs either Microsoft confirmation, vendor advisories, or broader independent testing.

So it is safer to say:

• There is credible concern if recent independent testing reproduced the WinRE/BitLocker behavior
• The exact scope, reliability, and affected configurations are still uncertain without official documentation or a CVE/advisory

About GreenPlasma

The second issue sounds like a local privilege escalation avenue, not something that gives initial access by itself.

That means its practical risk depends on whether an attacker already has:

• A normal user account
• Code execution as a low-privilege user
• Another foothold from phishing, malware, or abuse of a different bug

Those bugs are still serious because they often turn a limited compromise into full system compromise. But based on the description provided, it should not be treated as a standalone remote takeover issue.

Reasonable defensive steps

For admins and power users, the low-risk, practical mitigations are:

• Review BitLocker protector configuration, especially on laptops and sensitive endpoints
• Prefer TPM + PIN over TPM-only where usability allows
• Restrict physical access to devices
• Control or disable booting from removable media where operationally possible
• Require UEFI/firmware passwords where appropriate
• Review Windows Recovery policies and access paths
• Monitor for unusual recovery activity, boot changes, or tampering events
• Keep systems fully updated in case Microsoft ships silent hardening or future fixes

For organizations with higher exposure:

• Prioritize mobile devices, executive laptops, admin workstations, and shared-access systems
• Treat stolen or briefly unattended TPM-only devices as higher risk
• Revisit whether current BitLocker policy matches the actual threat model

Bottom line

If this reporting is accurate, YellowKey is a meaningful warning that TPM-only BitLocker does not provide strong protection against every hands-on recovery/boot abuse scenario. That is not the same as saying BitLocker is generally defeated, but it is a strong case for using pre-boot authentication on systems that hold sensitive data.

GreenPlasma appears concerning as a potential privilege-escalation building block, but its impact depends on an attacker already having local code execution.

Sources

• BitLocker Overview
• MSRC - Microsoft Security Response Center

 

[Wrecker4923]

The same researcher continues to release 0-day PoCs:

Security News Thread 'Windows Defender "RedSun" zero-day revealed! This unpatched EoP flaw turns antivirus into a delivery tool for malicious payloads. PoC is public!'

Apr 16, 2026

Just as the cybersecurity community began digesting the latest round of patches for the high-profile “BlueHammer” vulnerability, a new storm has appeared on the horizon. On April 16, 2026, the security researcher known as Chaotic Eclipse (operating on GitHub under the alias Nightmare-Eclipse) publicly disclosed a new zero-day vulnerability in Windows Defender dubbed “RedSun.”

The vulnerability hinges on a bizarre behavior within Windows Defender’s detection engine. When the antivirus identifies a file as malicious, it typically takes steps to neutralize it. However, the researcher...

• Khushal
• Replies: 8
• Forum: Security News

• 
• 

 

[Wrecker4923]

The BitDefender article above doesn't include the researcher's claim against Microsoft, while other publications do:

• Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives
• https://www.techspot.com/news/11241...cretly-built-backdoor-bitlocker-releases.html
• Windows BitLocker zero-day gives access to protected drives, PoC released

Finally, fodder for the long-claimed BitLocker backdoor theory :

He further claims these vulnerabilities are intentionally placed backdoors, actively crediting internal Microsoft threat groups like MSTIC and GHOST in a highly unusual public flex.

The researcher described YellowKey as one of the most "insane" flaws they have ever encountered and has also accused Microsoft of potentially embedding a legitimate backdoor in BitLocker's data protection system.

According to the researcher, YellowKey appears unusual for a previously unknown security bug. Nightmare-Eclipse explained that the flaw can be reproduced by copying an attached "FsTx" folder to a USB drive formatted with a Windows-compatible file system such as NTFS, FAT32, or exFAT.

Nightmare-Eclipse believes that YellowKey's vulnerability could reasonably be considered a backdoor intentionally introduced into BitLocker by Microsoft. Their reasoning is that the component triggering the issue can only be found in the official WinRE image. The same component is also present in standard Windows installation images, but it does not exhibit the BitLocker-bypassing behavior observed on live systems.

The researcher explained that they "just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not."

As for YellowKey's alleged backdoor behavior, mitigation is relatively straightforward. Security professionals generally recommend avoiding reliance on any single encryption system and instead evaluating well-reviewed full-disk encryption alternatives such as VeraCrypt.

Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.

Independent security researcher Kevin Beaumont confirmed that the YellowKey exploit is valid and agreed that BitLocker has a backdoor. He recommended using a BitLocker PIN and a BIOS password as a mitigation.

 

[Khushal]

The same researcher continues to release 0-day PoCs:

Security News Thread 'Windows Defender "RedSun" zero-day revealed! This unpatched EoP flaw turns antivirus into a delivery tool for malicious payloads. PoC is public!'

Apr 16, 2026

Just as the cybersecurity community began digesting the latest round of patches for the high-profile “BlueHammer” vulnerability, a new storm has appeared on the horizon. On April 16, 2026, the security researcher known as Chaotic Eclipse (operating on GitHub under the alias Nightmare-Eclipse) publicly disclosed a new zero-day vulnerability in Windows Defender dubbed “RedSun.”

The vulnerability hinges on a bizarre behavior within Windows Defender’s detection engine. When the antivirus identifies a file as malicious, it typically takes steps to neutralize it. However, the researcher...

• Khushal
• Replies: 8
• Forum: Security News

• 
• 

Another Windows zero day released by Nightmare Eclipse (sort of). It turns out Microsoft just straight up didn't patch an old CVE from 2020 correctly.

GitHub - Nightmare-Eclipse/MiniPlasma: CVE-2020-17103 was apparently not patched or the patch was reversed, regardless this the PoC for an LPE in cldflt.sys

CVE-2020-17103 was apparently not patched or the patch was reversed, regardless this the PoC for an LPE in cldflt.sys - Nightmare-Eclipse/MiniPlasma

github.com