Chaotic Eclipse Returns With Two More Windows Zero-Days — BitLocker Bypass YellowKey and CTFMON Privilege Escalation GreenPlasma

The anonymous security researcher known as Chaotic Eclipse — responsible for the BlueHammer, RedSun, and UnDefend Microsoft Defender zero-days that ZDW covered last month — has returned with two additional Windows zero-days, escalating an increasingly public confrontation with Microsoft over vulnerability disclosure handling.

The first vulnerability, codenamed YellowKey, is a BitLocker bypass that the researcher described as "one of the most insane discoveries I ever found," comparing it to a backdoor built into Windows Recovery Environment (WinRE). The flaw affects Windows 11 and Windows Server 2022/2025.

The attack involves placing specially crafted Transactional NTFS (FsTx) files on a USB drive or the EFI partition, plugging the USB into a BitLocker-protected target machine, rebooting into WinRE, and triggering a shell by holding the CTRL key. Security researcher Will Dormann independently reproduced the exploit and confirmed it works — the FsTx directory on the USB drive is able to delete the winpeshl.ini file on a separate drive, resulting in a cmd.exe prompt with the BitLocker volume fully unlocked instead of the expected Recovery Environment.

Dormann highlighted what he considers the deeper issue: Transactional NTFS data on one volume can modify the contents of another volume when replayed. This cross-volume manipulation is itself a fundamental vulnerability regardless of the BitLocker implications. Critically, TPM+PIN configurations do not mitigate the issue — the exploit works regardless of preboot authentication settings.

The second vulnerability, codenamed GreenPlasma, is a privilege escalation targeting Windows Collaborative Translation Framework (CTFMON). The flaw enables an unprivileged user to create arbitrary memory section objects within directory objects writable by SYSTEM, potentially enabling manipulation of privileged services or drivers that implicitly trust those paths. The released proof-of-concept is intentionally incomplete — it lacks the final stage needed for a full SYSTEM shell — but demonstrates the core primitive that makes escalation possible.

The disclosures continue a pattern that began last month when Chaotic Eclipse published BlueHammer, RedSun, and UnDefend after expressing frustration with Microsoft's vulnerability handling. BlueHammer was assigned CVE-2026-33825 and patched, but the researcher claims Microsoft "silently" addressed RedSun without issuing an advisory. The three Defender exploits subsequently came under active exploitation in the wild, as Huntress documented in attacks involving Russian-geolocated VPN access.

Chaotic Eclipse has promised a "big surprise" for Microsoft coinciding with the June 2026 Patch Tuesday, suggesting additional disclosures are forthcoming.

Separately, French cybersecurity firm Intrinsec disclosed a related BitLocker downgrade attack exploiting CVE-2025-48804 that bypasses encryption on fully patched Windows 11 systems in under five minutes. The attack abuses the fact that Secure Boot verifies a binary's signing certificate but not its version, allowing a vulnerable boot manager signed with the trusted PCA 2011 certificate to be loaded without triggering alerts. Microsoft plans to retire PCA 2011 certificates next month, which should close this specific vector.

Mitigation:

YellowKey requires physical access, which limits remote exploitation but makes it a serious concern for stolen or seized devices, evil maid scenarios, and any environment where physical security is not absolute. Until Microsoft patches the WinRE flaw, organizations should restrict USB boot capabilities via BIOS/UEFI settings where operationally feasible. For the Intrinsec BitLocker downgrade attack, enable a BitLocker startup PIN for preboot authentication and prepare to migrate boot managers to PCA 2023 certificates once Microsoft retires PCA 2011 next month. GreenPlasma is incomplete as published but demonstrates a viable escalation primitive — monitor for patches addressing CTFMON section creation in upcoming Patch Tuesday releases. Given Chaotic Eclipse's track record, treat the promised June disclosure as a credible threat and plan accordingly.