"One of the most insane discoveries I ever found," said the anonymous researcher known as Chaotic Eclipse, describing a pair of Windows zero-days that together expose a BitLocker bypass and a privilege-escalation vector in Windows' translation framework.
YellowKey: a WinRE backdoor that can surface a shell on BitLocker‑protected systems
YellowKey, codenamed by the researcher, targets the Windows Recovery Environment (WinRE) and affects Windows 11 and Windows Server 2022/2025. According to the disclosure, the exploit works by placing specially crafted "FsTx" files on a USB drive or the EFI partition, inserting that media into a machine with BitLocker enabled, rebooting into WinRE, and triggering a shell by holding the CTRL key.
The researcher described the bug as functioning "as a backdoor" because it is present only in WinRE. Chaotic Eclipse also said that "TPM+PIN does not help, the issue is still exploitable regardless." Independent security researcher Will Dormann posted on Mastodon that he was able to reproduce YellowKey with a USB drive attached, saying: "it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment."
Dormann further highlighted that a "\System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed," calling that cross-volume modification "in and of itself" a vulnerability.
GreenPlasma: CTFMON arbitrary section creation and potential SYSTEM manipulation
The second zero-day, GreenPlasma, targets the Windows Collaborative Translation Framework (CTFMON) and is described as a privilege-escalation issue that could allow an unprivileged user to create arbitrary memory section objects inside directory objects that are writable by SYSTEM.
The published proof-of-concept (PoC) is incomplete and lacks the final code to obtain a full SYSTEM shell. In its current form, however, the exploit can create arbitrary section objects in locations normally writable only by SYSTEM, which "potentially" enables an attacker to manipulate privileged services or drivers that implicitly trust files in those paths — a notable change from the normal security model where a standard user lacks write access to such locations.
Context: other recent disclosures, Microsoft response, and the researcher's warnings
These two zero-days come about a month after Chaotic Eclipse published three Microsoft Defender vulnerabilities called BlueHammer, RedSun, and UnDefend, following stated dissatisfaction with Microsoft's handling of vulnerability reports. BlueHammer was later assigned CVE-2026-33825 and patched by Microsoft; Chaotic Eclipse said the company appeared to have "silently" addressed RedSun without issuing an advisory.
The researcher warned that the situation had been worsened by Microsoft's earlier handling and promised a "big surprise" timed with the next Patch Tuesday in June 2026. When reached for comment, a Microsoft spokesperson told The Hacker News the company "has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible" and that it supports coordinated vulnerability disclosure to ensure issues are "carefully investigated and addressed before public disclosure."
Boot manager downgrade and the Intrinsec chain against BitLocker (CVE‑2025‑48804)
Separately, French cybersecurity firm Intrinsec described an attack chain that uses a boot manager downgrade to bypass BitLocker on fully patched Windows 11 systems by exploiting CVE-2025-48804 (CVSS 6.8). Intrinsec explained that adding a second WIM to a System Deployment Image (SDI) with a modified blob table can cause the boot manager to verify the legitimate WIM while booting from a second, attacker-controlled WIM. That second WIM can contain a WinRE image with an injected cmd.exe that executes with the decrypted BitLocker volume.
Microsoft released fixes for this issue in July 2025, but Intrinsec and other researchers noted a lingering risk: Secure Boot validates a binary's signing certificate, not its version. A vulnerable copy of "bootmgfw.efi" signed with the PCA 2011 certificate could, while the certificate remains trusted, be used to load an unpatched boot manager. The company plans to retire the old PCA 2011 certificates "next month," the source says. Intrinsec's recommended mitigations are to enable a BitLocker PIN at startup for preboot authentication and to migrate the boot manager to the CA 2023 certificate and revoke the PCA 2011 certificate.
What this means for technologists, enterprises, and security teams
- Technologists and security teams: investigate WinRE images and boot media handling procedures; test reproducibility of FsTx artifacts and review Transactional NTFS behaviors that could allow cross-volume modifications.
- Enterprises and procurement leaders: prioritize preboot authentication such as BitLocker PINs and verify boot manager certificate migration to CA 2023; plan for certificate retirement timelines that affect Secure Boot trust.
- Incident response and endpoint defenders: treat physical-access vectors as high-risk given the reproductions that require attached media, and be prepared to analyze WinRE and System Volume Information artifacts during triage.
Two threads run through these disclosures: first, code paths intended for recovery and maintenance — WinRE, WinPE, SDI/WIM images, and the CTF subsystem — can contain unexpected privileges and trust relationships; second, supply-chain and certificate trust mechanics (Secure Boot, PCA 2011 vs CA 2023) remain an operational pivot point. Chaotic Eclipse's promise of further public disclosures at the next Patch Tuesday, combined with the ongoing certificate transition and previously patched but exploitable downgrade mechanics, makes June Patch Tuesday a date to watch for defenders and administrators alike.
