A prominent, anonymous cybersecurity researcher, operating under the aliases Chaotic Eclipse and Nightmare-Eclipse, has once again brought to light critical vulnerabilities within Microsoft’s Windows ecosystem, disclosing two new zero-day flaws. These latest discoveries, codenamed "YellowKey" and "GreenPlasma," involve a significant bypass of BitLocker encryption and a privilege escalation vulnerability affecting the Windows Collaborative Translation Framework (CTFMON), respectively. This fresh wave of public disclosures intensifies an ongoing dispute between the researcher and Microsoft regarding the handling and resolution of security vulnerabilities, following earlier public revelations of flaws in Microsoft Defender. Simultaneously, the French cybersecurity firm Intrinsec has detailed a separate, equally concerning BitLocker downgrade attack, underscoring persistent challenges in maintaining robust data protection on Windows platforms.
Escalating Tensions: New Zero-Days Emerge
The recent revelations from Chaotic Eclipse highlight not only technical deficiencies within Windows but also a growing tension in the vulnerability disclosure landscape. The researcher’s decision to publicly release details of these zero-days, complete with proof-of-concept (PoC) code, underscores a perceived failure in the traditional coordinated vulnerability disclosure (CVD) process with Microsoft. This approach mirrors the researcher’s previous actions, suggesting a pattern of dissatisfaction with the tech giant’s responsiveness and transparency.
YellowKey: A BitLocker Bypass in the Windows Recovery Environment
The "YellowKey" vulnerability, described by Chaotic Eclipse as "one of the most insane discoveries I ever found," represents a profound security concern for users relying on Microsoft’s full-disk encryption solution, BitLocker. This flaw functions as an effective BitLocker bypass, allowing unauthorized access to encrypted data. What makes YellowKey particularly insidious is its operational context: it resides within the Windows Recovery Environment (WinRE), a critical, built-in framework designed to troubleshoot and repair common operating system issues that prevent a system from booting normally. WinRE is intended to be a secure, isolated environment, making a bypass originating from within it particularly alarming.
BitLocker, Microsoft’s proprietary encryption feature, is a cornerstone of data protection for millions of Windows users, particularly in enterprise environments. It uses the Trusted Platform Module (TPM) – a secure cryptoprocessor – to protect encryption keys and ensure the integrity of the boot process. The standard expectation is that even with physical access, an attacker should not be able to decrypt data without the correct authentication. However, YellowKey subverts this fundamental security promise.
The technical mechanics of YellowKey involve a multi-step process that, while requiring physical access, bypasses layers of protection including TPM and even BitLocker PINs. The attack affects Windows 11 and Windows Server 2022/2025. It necessitates the creation of specially crafted "FsTx" files, which are then placed on a USB drive or the EFI partition. An attacker would then plug this USB drive into the target Windows computer with BitLocker enabled, reboot the system into WinRE, and, by holding down the CTRL key, trigger a shell. This shell, operating within the compromised WinRE, effectively gains access to the decrypted BitLocker volume.
The researcher’s profound statement, "I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden," highlights the complexity and elusive nature of YellowKey. The claim that "TPM+PIN does not help, the issue is still exploitable regardless," is particularly concerning, as pre-boot authentication via PIN is often recommended as an additional layer of security beyond TPM-only BitLocker configurations, specifically to guard against cold boot attacks and other physical access exploits.
The severity of YellowKey was corroborated by security researcher Will Dormann, who, in a post on Mastodon, confirmed the exploit’s reproducibility. Dormann observed, "I was able to reproduce [YellowKey] with a USB drive attached," further detailing, "it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment." Dormann’s analysis points to a deeper systemic issue: "While the TPM-only BitLocker bypass is indeed interesting, I think the buried lede here is that a System Volume InformationFsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability." This observation suggests that the true root cause might lie in how Windows handles transactional file system operations across different volumes, potentially impacting data integrity and isolation beyond just BitLocker.
GreenPlasma: Privilege Escalation via CTFMON
The second vulnerability unveiled by Chaotic Eclipse, dubbed "GreenPlasma," is a privilege escalation flaw. This type of vulnerability allows an attacker, typically operating with limited user privileges, to gain higher-level access, potentially reaching SYSTEM-level permissions, which are the highest possible on a Windows machine. Such elevated privileges grant an attacker complete control over the compromised system, enabling them to install programs, view, change, or delete data, and create new accounts with full user rights.
GreenPlasma arises from what is described as "Windows CTFMON arbitrary section creation." CTFMON.EXE, or the "ctfmon (CTF Loader)," is a legitimate Microsoft process that activates the Alternative User Input and the Office Language Bar. It is responsible for advanced text input services, such as speech recognition, handwriting recognition, and keyboard layout management. While not inherently malicious, its underlying mechanisms can, as demonstrated by GreenPlasma, be abused.
The released proof-of-concept (PoC) for GreenPlasma is currently incomplete, lacking the final stages of code necessary to achieve a full SYSTEM shell. However, even in its present form, the exploit is potent. It enables an unprivileged user to create arbitrary memory section objects within directory objects that are writable by SYSTEM. This capability is critical because standard users are typically restricted from writing to such privileged locations. By manipulating these memory sections, an attacker could potentially interfere with, or even hijack, privileged services or drivers that implicitly trust these paths, paving the way for eventual SYSTEM-level compromise. The ability to inject or modify data in SYSTEM-controlled memory areas is a classic precursor to full privilege escalation.
A Pattern of Public Disclosure and Discontent
These latest disclosures are not an isolated incident but rather a continuation of a contentious relationship between Chaotic Eclipse and Microsoft’s Security Response Center (MSRC). The researcher’s proactive public disclosure strategy stems from alleged dissatisfaction with Microsoft’s handling of vulnerability reports and the perceived slow or inadequate patching process.
Chronology of Disclosure and Microsoft’s Response
Approximately a month prior to the YellowKey and GreenPlasma revelations, Chaotic Eclipse publicly disclosed three other zero-day vulnerabilities affecting Microsoft Defender. These flaws, named "BlueHammer," "RedSun," and "UnDefend," garnered significant attention and, according to the researcher, came under active exploitation in the wild shortly after their disclosure.
Following this initial wave of disclosures, Microsoft officially assigned an identifier, CVE-2026-33825, to BlueHammer and issued a patch last month. However, the researcher claims that RedSun was "silently" addressed by the tech giant, meaning a fix was deployed without a corresponding security advisory or public acknowledgment of the vulnerability. This lack of transparency appears to be a core driver of Chaotic Eclipse’s ongoing frustration.
The researcher’s statements reflect a deep-seated grievance: "I hope you at least attempt to resolve the situation responsibly, I’m not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer. The fire will go as long as you want, unless you extinguish it or until there nothing left to burn." These pointed remarks indicate a breakdown in communication and trust, where the researcher feels their concerns are not being adequately addressed through conventional channels, leading them to resort to public disclosure as a means of pressure.
Further escalating the situation, Chaotic Eclipse has ominously promised a "big surprise" for Microsoft, timed to coincide with the next Patch Tuesday release in June 2026. This suggests that additional vulnerabilities may be held in reserve, to be revealed if the perceived grievances are not resolved, creating an atmosphere of anticipation and concern within the cybersecurity community.
Microsoft’s Stance on Vulnerability Disclosure
In response to previous inquiries regarding Chaotic Eclipse’s disclosures, a Microsoft spokesperson reiterated the company’s official policy. The spokesperson stated that Microsoft "has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," and that it supports coordinated vulnerability disclosure (CVD). The company maintains that CVD "helps ensure issues are carefully investigated and addressed before public disclosure."
Coordinated Vulnerability Disclosure is a widely accepted industry practice where researchers privately report vulnerabilities to vendors, allowing time for patches to be developed and distributed before public disclosure. This approach aims to minimize risk to end-users by preventing attackers from exploiting publicly known, unpatched flaws. However, instances like those involving Chaotic Eclipse highlight the inherent tension when researchers feel that vendors are not acting expeditiously or transparently enough, prompting them to bypass the traditional CVD model in favor of full, public disclosure. This dynamic often pits the vendor’s desire for controlled patching against the researcher’s desire for accountability and rapid remediation, sometimes leading to public spats and zero-day releases.
Broader BitLocker Concerns: The Downgrade Attack
The challenges to BitLocker’s integrity are not limited to Chaotic Eclipse’s discoveries. French cybersecurity company Intrinsec recently detailed a distinct, yet equally concerning, attack chain against BitLocker, dubbed "BitUnlocker." This method leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8), enabling attackers to bypass BitLocker encryption on fully patched Windows 11 systems in under five minutes.
Intrinsec’s BitLocker Downgrade Attack (CVE-2025-48804)
Intrinsec’s attack targets the boot process itself, specifically how the system loads its recovery and operating system images. The principle of the attack is ingenious: "The boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM," Intrinsec explained. "However, when a second WIM is added to the SDI with a modified blob table, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (controlled by the attacker). This second WIM contains a WinRE image infected with ‘cmd.exe,’ which executes with the decrypted BitLocker volume."
This means an attacker can manipulate the boot sequence to load a malicious WinRE image that grants them a command shell with access to the decrypted BitLocker volume, all while the system thinks it is verifying a legitimate image. The speed of this exploit – less than five minutes – makes it a highly efficient method for bypassing encryption when physical access is gained.
The Secure Boot Paradox and Certificate Retirement
While Microsoft issued fixes for CVE-2025-48804 in July 2025, the underlying problem, as identified by security researcher Cassius Garat, lies in a fundamental limitation of Secure Boot. Secure Boot is a security standard developed by members of the PC industry to help ensure that a device boots using only software that is trusted by the OEM (Original Equipment Manufacturer). It typically verifies the cryptographic signatures of boot components. However, Garat noted that Secure Boot only verifies a binary’s signing certificate, not its version.
This crucial distinction means that even if a newer, patched version of "bootmgfw.efi" (the Windows Boot Manager) exists, an attacker could still load an older, vulnerable version of the boot manager if it is signed with a trusted certificate, such as the widely used PCA 2011 certificate. As a result, the older, unpatched boot manager can bypass BitLocker safeguards without triggering any alerts. This paradox highlights a significant gap in the chain of trust established by Secure Boot, where a valid signature is mistaken for overall security, even if the signed code itself contains known vulnerabilities.
Further complicating matters, Microsoft plans to retire the old PCA 2011 certificates next month (June 2026). While this move is intended to enhance security by phasing out older, potentially weaker cryptographic anchors, Intrinsec pointed out the immediate risk: "And as long as it is not revoked, even an old, vulnerable boot manager can be loaded without triggering an alert." For this specific downgrade attack, physical access to the target machine is a prerequisite, which is a common requirement for boot-level exploits.
Mitigating Downgrade Risks
To counter the threat posed by such BitLocker downgrade attacks, Intrinsec and other security experts recommend several critical countermeasures. The most robust defense involves enabling a BitLocker PIN at startup for preboot authentication. This adds a crucial layer of user authentication before the operating system or even the boot manager fully loads, making it significantly harder for an attacker to exploit flaws in the boot process, even with physical access. The PIN acts as a second factor beyond just the TPM’s measurement of boot integrity.
Additionally, it is essential for organizations and users to migrate their boot manager to the newer CA 2023 certificate and, crucially, to revoke the old PCA 2011 certificate. Revoking the old certificate ensures that even if an attacker attempts to load an old, vulnerable boot manager, it will no longer be considered cryptographically trustworthy by Secure Boot, thus preventing the exploit from proceeding. Regular system updates and diligent patching remain paramount, but these specific configuration changes provide targeted defenses against this class of attack.
The Evolving Landscape of Windows Security
The convergence of these distinct but equally critical vulnerabilities – the YellowKey BitLocker bypass, the GreenPlasma privilege escalation, and the Intrinsec boot manager downgrade – paints a challenging picture for Windows security. These disclosures underscore the continuous cat-and-mouse game between security researchers and software vendors, particularly concerning the resilience of fundamental security features like full-disk encryption and the integrity of the operating system core.
For enterprises and individual users, these events highlight the imperative of not only applying patches promptly but also understanding the nuances of how security features are implemented and the potential for their circumvention. The researcher’s commitment to delivering a "big surprise" for Microsoft’s June Patch Tuesday release further emphasizes the need for ongoing vigilance and proactive security measures.
The broader implications extend to the delicate balance of vulnerability disclosure. While public disclosures can force vendors to act, they also expose users to potential exploitation before patches are widely available. Microsoft’s commitment to investigating issues and supporting coordinated disclosure is a standard industry practice, but the recurring public disclosures by Chaotic Eclipse suggest that the effectiveness of this process can be strained when researchers perceive a lack of urgency or transparency. As the digital threat landscape continues to evolve, the robustness of operating system security, the integrity of cryptographic safeguards, and the dynamics of vulnerability disclosure remain critical areas of focus for the entire cybersecurity community.
