Windows Zero-Days Expose BitLocker Bypass and CTFMON Privilege Escalation

Security researcher Chaotic Eclipse (also known as Nightmare-Eclipse) has disclosed two critical zero-day vulnerabilities affecting Windows systems: YellowKey, a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025, and GreenPlasma, a privilege escalation in the Windows Collaborative Translation Framework (CTFMON). YellowKey exploits the Windows Recovery Environment (WinRE) by copying specially crafted "FsTx" files to a USB drive or EFI partition, allowing attackers to trigger a shell by holding CTRL during reboot while BitLocker protection is active. Security researcher Will Dormann confirmed the exploit, noting that "Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on another drive," effectively bypassing BitLocker encryption. The researcher emphasized that TPM+PIN configurations do not mitigate this vulnerability, calling it "one of the most insane discoveries" and suggesting the root cause remains difficult to identify.

The second vulnerability, GreenPlasma, enables privilege escalation to SYSTEM permissions through Windows CTFMON arbitrary section creation. While the released proof-of-concept is incomplete and cannot yet achieve full SYSTEM shell execution, it allows unprivileged users to create arbitrary memory section objects within directory objects writable by SYSTEM. This could enable manipulation of privileged services or drivers that implicitly trust those paths, as standard users lack write access to these locations. The disclosure follows the researcher's previous publication of three Microsoft Defender zero-days—BlueHammer, RedSun, and UnDefend—reportedly motivated by dissatisfaction with Microsoft's vulnerability disclosure process.

Organizations using BitLocker encryption should verify their SSL/TLS checker and security configurations, particularly those relying solely on TPM-only protection. The cross-volume transaction vulnerability identified by Dormann represents a fundamental flaw in Windows file system transaction handling, not merely a BitLocker bypass. System administrators should monitor for port scanner activity and unexpected USB device attachments, as the YellowKey exploit requires physical access. Users concerned about potential exposure can use tools like privacy checkup to assess their security posture. Microsoft has not yet released patches for these vulnerabilities, and organizations should implement additional monitoring for anomalous file system operations in WinRE environments.