CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

BitLocker bypass via WinRE and privilege escalation flaws disclosed in Windows

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A security researcher publicly disclosed two unpatched Windows vulnerabilities, YellowKey and GreenPlasma, including proof-of-concept (PoC) exploits, enabling BitLocker bypass and local privilege escalation (LPE) respectively. YellowKey exploits the Windows Recovery Environment (WinRE) to bypass BitLocker encryption on Windows 11, Windows Server 2022, and Windows Server 2025 systems, allowing unrestricted access to encrypted volumes without requiring user credentials. The attack leverages specially crafted 'FsTx' files placed on a USB drive or the EFI partition, triggering a shell upon recovery mode entry. GreenPlasma is an LPE flaw enabling SYSTEM-level access through arbitrary section creation in writable SYSTEM directories, with a partial PoC released. Microsoft has not yet patched either vulnerability and has not assigned a CVE identifier to GreenPlasma. The researcher, operating under aliases Chaotic Eclipse and Nightmare Eclipse, cited dissatisfaction with Microsoft’s bug report handling as the reason for public disclosure and hinted at further disclosures ahead of the next Patch Tuesday.

Timeline

  1. 13.05.2026 19:37 1 articles · 1h ago

    YellowKey BitLocker bypass and GreenPlasma privilege escalation PoCs published

    Proof-of-concept exploits for YellowKey (BitLocker bypass) and GreenPlasma (local privilege escalation) were published by a security researcher. YellowKey exploits the Windows Recovery Environment (WinRE) to bypass BitLocker encryption on Windows 11 and Windows Server 2022/2025 by leveraging NTFS transaction replay and crafted FsTx directories, enabling full disk access without credentials. GreenPlasma enables SYSTEM-level privilege escalation via arbitrary section creation in SYSTEM-writable directories, with a partial PoC disclosed. Microsoft has not patched either vulnerability and has not assigned a CVE identifier to GreenPlasma.

    Show sources
    Open in new tab

Information Snippets

  • YellowKey exploits NTFS transactions and the Windows Recovery Environment to bypass BitLocker encryption on Windows 11 and Windows Server 2022/2025, granting full access to encrypted volumes without requiring credentials.

    First reported: 13.05.2026 19:37
    1 source, 1 article
    Show sources

  • The YellowKey attack places specially crafted 'FsTx' directories on a USB drive or the EFI partition, triggering a shell upon entering WinRE by holding the CTRL key or through auto-boot recovery.

    First reported: 13.05.2026 19:37
    1 source, 1 article
    Show sources

  • YellowKey bypasses TPM-only BitLocker configurations by leveraging the auto-unlock feature during boot, but does not work on stolen drives or systems protected with TPM+PIN.

    First reported: 13.05.2026 19:37
    1 source, 1 article
    Show sources

  • GreenPlasma is a privilege escalation flaw enabling SYSTEM-level access via arbitrary section creation in SYSTEM-writable directories, with a partial PoC released but lacking the component to achieve full SYSTEM shell.

    First reported: 13.05.2026 19:37
    1 source, 1 article
    Show sources

  • Microsoft has not patched YellowKey or GreenPlasma and has not assigned a CVE identifier to GreenPlasma. The researcher criticized Microsoft for silently patching the RedSun vulnerability without public acknowledgment or disclosure.

    First reported: 13.05.2026 19:37
    1 source, 1 article
    Show sources

  • The researcher, known as Chaotic Eclipse or Nightmare Eclipse, indicated plans to continue leaking exploits for undocumented Windows vulnerabilities, including a "big surprise" for the next Patch Tuesday.

    First reported: 13.05.2026 19:37
    1 source, 1 article
    Show sources