Overview
- An anonymous researcher known as Chaotic Eclipse released two public proofs of concept this week named YellowKey and GreenPlasma, targeting BitLocker on Windows 11 and a privilege issue tied to the CTFMON subsystem.
- YellowKey uses specially crafted FsTx files and the Windows Recovery Environment to open a command prompt with the disk already decrypted, which independent researchers replicated on default TPM‑only BitLocker setups.
- The bypass hinges on how Windows replays Transactional NTFS data during recovery, which can delete a WinRE startup file and launch cmd.exe against an unlocked volume, offering full read and write access without a recovery key.
- Current tests show the published YellowKey method requires physical access and the original device, affects Windows 11 and Windows Server 2022/2025, and is not confirmed to work on stolen detached drives or with TPM plus PIN, despite the researcher’s claim of an unpublished variant.
- GreenPlasma lets an unprivileged user create memory section objects in SYSTEM‑writable paths, and while the PoC stops short of a full SYSTEM shell, experts say attackers could develop it further, prompting calls to enable BitLocker pre‑boot PINs, lock down BIOS and external boot, and prioritize Microsoft updates once available.