GoKawiilA cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
The latest exploits follow the researcher's previous disclosure of the BlueHammer (CVE-2026-33825) and RedSun (no identifier) local privilege escalation (LPE) as zero-day flaws, both of which began to be exploited in the wild shortly after being publicly disclosed.
As in previous cases, the researcher stated that the decision to publicly disclose the YellowKey and GreenPlasma vulnerabilities, along with guidance on how to leverage them, was driven by dissatisfaction with Microsoft’s handling of bug reports.
Chaotic Eclipse, or Nightmare-Eclipse on GitHub, said that they will keep leaking exploits for undocumented Windows vulnerabilities, even promising “a big surprise” for the next Patch Tuesday.
The YellowKey BitLocker bypass
The researcher says that YellowKey is a BitLocker bypass that affects Windows 11 and Windows Server 2022/2025. It involves placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell by holding down the CTRL key.
Additionally, the BitLocker bypass should also work without an external storage by copying the files to the EFI partition on the target drive.
According to Chaotic/Nightmare Eclipse, the spawned shell gains unrestricted access to the storage volume protected by BitLocker.
... continue reading