CybersecurityVulnerability Management

BitLocker Zero-Day Exposes Windows Drives to Unauthorized Access

Analyst 207||Source: BleepingComputer
Windows laptop on cluttered desk in dimly lit home office with open keyboard and touchpad visible.

"No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough." — Chaotic Eclipse

Who released the exploits and why

A security researcher calling themselves Chaotic Eclipse (also posting as Nightmare Eclipse on GitHub) published proof-of-concept code for two undocumented Windows vulnerabilities, saying the disclosures were driven by dissatisfaction with Microsoft's handling of earlier bug reports. The researcher has previously published exploit code for BlueHammer (CVE-2026-33825) and RedSun (no identifier), and said they will continue to release exploits for undocumented Windows flaws, even hinting at "a big surprise" planned for next month's Patch Tuesday.

YellowKey: a BitLocker bypass that lives in WinRE

YellowKey is described by Chaotic Eclipse as a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025. According to the researcher, the exploit operates by placing specially crafted "FsTx" files on an attached USB drive or on an EFI partition, rebooting into the Windows Recovery Environment (WinRE), and triggering a shell by holding down the CTRL key. The researcher says the spawned shell gains unrestricted access to the storage volume protected by BitLocker and calls the vulnerable component a backdoor because it exists only in WinRE, the environment Windows uses to repair boot-related issues.

Independent researcher Kevin Beaumont confirmed the YellowKey exploit is valid and agreed that BitLocker has a backdoor-like weakness; he recommended using a BitLocker PIN and a BIOS password as mitigations. Tharros Labs principal vulnerability analyst Will Dormann also confirmed the exploit worked when the FsTx files were placed on a USB drive but said he could not reproduce the bug using the EFI partition. Dormann explained that YellowKey "exploits NTFS transactions in combination with the Windows Recovery image" and that Windows looks for \System Volume Information\FsTx directories on attached drives and will replay any NTFS logs when booting Recovery.

Dormann and Chaotic Eclipse both noted an important constraint: YellowKey must be tested on the original device where the TPM stores the encryption keys. As a result, the researcher’s current YellowKey PoC does not work with stolen drives but can allow access to disks protected with TPM-only BitLocker without needing credentials.

GreenPlasma: a partial PoC for CTFMON elevation

GreenPlasma is described as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability." The researcher says it allows an unprivileged user to create arbitrary memory-section objects within directory objects writable by SYSTEM, potentially enabling manipulation of privileged services or drivers that trust those locations. The leaked PoC is incomplete and lacks the component required to obtain a full SYSTEM shell, but Chaotic Eclipse asserted that a capable attacker "can turn this into a full privilege escalation," and that created sections could be used to influence kernel-mode drivers and services into trusting paths standard users cannot access.

Responses from named researchers and Microsoft

Kevin Beaumont publicly validated YellowKey and recommended BitLocker PIN plus a BIOS password as mitigations. Will Dormann provided technical context about the mechanism — NTFS transactions and the Recovery image — and reiterated the requirement to test on the original TPM-backed device. BleepingComputer contacted Microsoft; a company spokesperson told BleepingComputer that Microsoft is "committed to investigating reported security issues, and update impacted devices to protect customers as soon as possible," and that the company supports coordinated vulnerability disclosure.

What this means for security teams, enterprises, and end users

  • Technologists and security teams: Dormann’s explanation points to a detectable artifact — Windows looks for \System Volume Information\FsTx directories on attached drives — so teams can check for unexpected FsTx directories and review WinRE behaviors on devices running Windows 11 or Windows Server 2022/2025.
  • Affected enterprises and procurement leaders: YellowKey’s effectiveness against TPM-only BitLocker configurations suggests organizations that rely on TPM-only deployments should evaluate requiring a BitLocker PIN (or equivalent multifactor unlock) and consider BIOS/firmware passwords for systems where policy permits.
  • End users and device owners: Kevin Beaumont’s mitigation advice in the wake of the PoC release is direct: enable a BitLocker PIN and set a BIOS password where available. Note that, per the researchers, the current YellowKey PoC only works on the original device with keys in the TPM and not against stolen drives.

Chaotic Eclipse’s continuing disclosures — and the promise of more exploit leaks — place pressure on both vendors and defenders. Microsoft says it investigates reported issues and prefers coordinated disclosure; the researcher says past reporting prompted public releases. For defenders, the immediate tasks are clear: review Recovery and EFI behaviors, consider stronger BitLocker unlock policies, and watch for any official advisories or patches that address the reported WinRE and CTFMON issues.

Read the original BleepingComputer story: https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/

Emerging ThreatsExploitsNation-State ActorsVulnerability DisclosureWindowsZero-DayMfa BypassProof-of-ConceptBitlockerTPM
Related Intelligence

Continue Reading

Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207