Overview
- An anonymous researcher known as Chaotic Eclipse released two Windows zero-day proofs of concept Wednesday, dropping YellowKey for a BitLocker bypass and GreenPlasma for a CTFMON-linked privilege escalation hours after Patch Tuesday.
- YellowKey abuses Transactional NTFS artifacts that WinRE replays, deleting winpeshl.ini and launching a command prompt with the disk still unlocked, a behavior independently reproduced by Kevin Beaumont and Will Dormann.
- The bypass targets Windows 11 and Windows Server 2022/2025, requires physical access on the original device where the TPM holds keys, and does not work by moving a protected drive to another machine, raising theft risks for lost or stolen laptops.
- GreenPlasma’s code is incomplete but shows how an unprivileged user could create arbitrary memory sections in directories writable by SYSTEM, a path researchers say could be weaponized to reach full SYSTEM privileges.
- Practitioners recommend a BitLocker pre-boot PIN, BIOS or UEFI boot locks, and restricting USB or WinRE access, while Microsoft says it is investigating and supports coordinated disclosure, and experts note conflicting claims about whether TPM+PIN blocks the current YellowKey technique.