YellowKey BitLocker bypass via WinRE opens encrypted drives with a USB stick, GreenPlasma CTFMON LPE drops the same day, Chaotic Eclipse calls it a backdoor
Contents
One day after May Patch Tuesday, on May 13, 2026, the same researcher who shipped BlueHammer in April — Chaotic Eclipse (GitHub handle: Nightmare-Eclipse) — dropped two more unpatched Windows zero-days at once. One is YellowKey, a BitLocker bypass that opens encrypted drives with a single USB stick. The other is GreenPlasma, a CTFMON-based attempt at SYSTEM elevation. Both ship with working PoCs and neither has a CVE.
The researcher himself writes that YellowKey “can’t be explained as anything other than a backdoor.” The reasoning is that the component responsible for the bypass exists only inside the WinRE (Windows Recovery Environment) image — a component with the exact same name ships in normal Windows installation images, but the bypass behavior does not appear there.
TL;DR
Impact Windows 11 / Windows Server 2022 / 2025 (Windows 10 is not affected)
Disclosed 2026-05-13, one day after May Patch Tuesday
Status Unpatched, no CVE assigned, no official mitigation
Requirements Physical access, a USB drive (NTFS / FAT32 / exFAT), holding Ctrl during reboot
Result Read/write access to BitLocker-protected drives from a cmd.exe shell
Companion drop GreenPlasma, a CTFMON-based SYSTEM elevation attempt (PoC incomplete)
Background Same researcher behind April’s BlueHammer / RedSun / UnDefend Defender chain. Claims Microsoft “silently patched” RedSun without issuing a CVE
Coming A “big surprise” teased for the June Patch Tuesday cycle
Timeline: from BlueHammer to YellowKey
| When | What |
|---|---|
| 2026-04-15 | Microsoft patches BlueHammer (Windows Defender LPE / CVE-2026-33825) in April Patch Tuesday; researcher publishes a full PoC |
| April | Chaotic Eclipse drops three Defender-related issues — BlueHammer, RedSun, UnDefend — in succession |
| Early May | RedSun is quietly fixed. No advisory, no CVE. The researcher publishes a blog post questioning whether this counts as a silent patch |
| 2026-05-12 | Microsoft May Patch Tuesday |
| 2026-05-13 | YellowKey (BitLocker bypass) and GreenPlasma (CTFMON LPE) released on GitHub |
| 2026-06? | ”Big surprise” teased |
Silently patching a reported vulnerability without a CVE is not unusual on its own, but it leaves the external reporter unable to tell whether their report was received or whether credit was deliberately dropped. This release sequence is the visible side of that frustration, and several outlets are reporting it that way.
YellowKey: how the BitLocker bypass works
| Item | Detail |
|---|---|
| Class | BitLocker full-volume encryption bypass |
| Path | WinRE (Windows Recovery Environment) + NTFS Transactions |
| Needed | USB drive (NTFS / FAT32 / exFAT), physical access, the Ctrl key |
| Impact | Windows 11 / Server 2022 / 2025 (Windows 10 out of scope) |
| Auth | None — operates from before BitLocker unlock |
| CVE | None |
| Patch | None |
The important thing is that YellowKey is not a cryptographic break of BitLocker. It rewinds the WinRE boot path so that a recovery-environment shell (cmd.exe) is dropped in front of the user, and from there the volumes that the OS has already mounted with their decryption keys are reachable from that shell.
Attack chain
flowchart TD
A[Attacker] --> B[Prepare USB drive<br/>NTFS or FAT32 or exFAT]
B --> C["Place crafted NTFS transaction logs<br/>under System Volume Information\FsTx\"]
C --> D[Insert USB into target PC<br/>BitLocker enabled]
D --> E[Reboot while holding Ctrl]
E --> F[WinRE starts]
F --> G[Windows enumerates FsTx on attached drives<br/>and replays the NTFS logs]
G --> H["X:\Windows\System32\winpeshl.ini gets deleted"]
H --> I[WinRE falls back to cmd.exe<br/>instead of its real startup shell]
I --> J[Read and write the BitLocker-protected drive<br/>from the shell]Cross-referencing the YellowKey README (Nightmare-Eclipse/YellowKey) with analyses from Hive Security, Blackfort Technology and Bleeping Computer, the trick comes down to three points.
- NTFS Transactions replay: Windows automatically replays NTFS transaction logs (metadata operations rooted in
$Logfile) from volumes attached during the boot path - FsTx directory scan: The trigger is the
\System Volume Information\FsTx\directory on each volume. Crafted logs placed on the USB side get replayed as changes against WinRE’s internalX:volume winpeshl.inideletion: As a result of replay,X:\Windows\System32\winpeshl.iniis missing when WinRE comes up. That file defines what WinRE launches first; without it, cmd.exe is the fallback
Holding Ctrl is the side route into WinRE rather than a normal boot, and the same conditions can be reproduced via the Shift+restart recovery flow. The exploit requires physical access and a USB stick — no firmware password, no PIN, no pre-boot authentication (PBA) is touched.
Why people are calling it a backdoor
The researcher’s argument: a component with the same name exists in normal Windows installation images, but the FsTx replay path observed in live WinRE behavior does not fire there. If this were a coincidental bug, the same behavior should show up on the install-image side too.
Whether you read that as “intentional backdoor” or not, the layout is hard to write off as a random misconfiguration:
- WinRE is a signed part of Windows shipped by Microsoft — not an OSS recovery environment users can build themselves
- Only the WinRE flavor of that component rewinds the transaction log of an external volume into its own internal state
- The file that is removed by replay is the “what runs first” config, and the fallback happens to be cmd.exe
As of 2026-05-18, Microsoft has not publicly explained this as a coincidence or a design side effect.
GreenPlasma: SYSTEM elevation via CTFMON
The other zero-day published alongside YellowKey is GreenPlasma, a local privilege escalation (LPE — going from a regular user to SYSTEM).
| Item | Detail |
|---|---|
| Class | Local privilege escalation (LPE) |
| Target | ctfmon.exe (Text Input Service, runs as SYSTEM) |
| Description | ”Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability” |
| Impact | Windows 11 / Server 2022 / 2026 |
| PoC | Incomplete — reaches memory section creation, not a full SYSTEM shell |
| CVE | None |
| Patch | None |
CTFMON (ctfmon.exe) runs as SYSTEM in every interactive logon session and handles the text-input framework around IMEs and the language bar. The PoC exploits the fact that an unprivileged user can create arbitrary memory section objects inside object directories where SYSTEM has write permission.
Memory sections are the substrate for shared memory between processes, and dropping one into a SYSTEM-owned path means that any service or driver implicitly trusting that path will execute against attacker-controlled content. Bleeping Computer and The Hacker News both summarize this as “manipulation of privileged services or drivers that implicitly trust those paths.”
The researcher is explicit that the PoC is incomplete — this is not a finished tool ready to be wrapped into commodity malware. But ctfmon is alive in every RDP and interactive session, so once the chain is finished, it becomes a direct SYSTEM acquisition path during post-exploitation.
Impact and how to weigh the risk
| Aspect | YellowKey | GreenPlasma |
|---|---|---|
| Prerequisite | Physical access + USB | Existing local code execution |
| Privilege | None — operates from the lock screen | Unprivileged user |
| Maturity | Working (USB copy → Ctrl+reboot) | PoC incomplete (no SYSTEM shell yet) |
| Patch | None | None |
| Mitigation | Restrict physical access / TPM+PIN / stronger pre-boot auth | None published yet |
YellowKey weighs heaviest where the threat model already includes “stolen laptop / lost laptop / device confiscated for inspection.” BitLocker is commonly treated as the default defense against powered-off physical theft, and TPM-only or Windows Hello PIN-centric configurations satisfy YellowKey’s preconditions as-is.
Configurations that significantly reduce YellowKey’s real-world damage:
| Configuration | Why it helps |
|---|---|
| TPM + PIN (pre-boot authentication) | A PIN is required before WinRE is reachable |
| Third-party pre-boot authentication | Authentication happens at the BIOS/UEFI stage |
| BitLocker recovery key escrow + rotation | The fact that the drive was opened once becomes detectable |
If your threat model does not include physical access to begin with, YellowKey is less of an “act today” item and more of a “tighten PIN policies and WinRE access while waiting for the official patch” item.
GreenPlasma is downstream of an existing foothold — it only matters once an attacker is already running code locally, paired with an initial-access vector (phishing, supply chain compromise, another RCE). The detection question is whether EDR/AV telemetry can catch unusual writes around \BaseNamedObjects or the object directories CTFMON touches.
RedSun silent patch and the researcher’s motive
This double drop sits on top of an ongoing RedSun silent-patch dispute that has been running since April.
- The researcher’s claim: he reported RedSun (a Windows Defender issue), Microsoft fixed it in May Windows Update without an advisory or a CVE
- He stated on his blog (deadeclipse666) that if Microsoft is going to do silent patches, he will release without advance notice too
- A “big surprise” is teased for June Patch Tuesday
A vendor closing a reported vulnerability without a CVE assignment is not rare, but quietly closing it when an external reporter is named on the report leaves the reporter unable to tell whether their submission was acknowledged or whether they were edited out of the credit line. That frustration is now leaving as a chain of public zero-days.
This is a different layer from the technical content of any single vulnerability. It’s a case study of what happens when the Coordinated Vulnerability Disclosure (CVD) workflow breaks down in public.
What defenders can do right now
Working from the assumption that no patch is coming this cycle, the realistic moves:
| Area | Concrete action |
|---|---|
| WinRE access control | Re-review recovery environment policy on managed PCs, including reagentc /disable. Check whether an extra auth step can gate reaching recovery mode at all |
| Move BitLocker to TPM+PIN | TPM-only and “boot without keyboard interaction” setups are exactly the target. If you want to defend devices that were suspended/locked when lost, make PIN mandatory |
| Re-check physical security | Lockers, bags in transit, repair vendor handling. Replace the assumption “BitLocker crypto protects this” with “a powered-off laptop opens with one USB stick” |
| Detection side | Check whether EDR catches the cmd.exe surface after WinRE start, the diff against X:\Windows\System32\winpeshl.ini, and unusual writes to object directories CTFMON touches |
| Patch Tuesday watch | At June Patch Tuesday (planned 2026-06-09), watch how YellowKey / GreenPlasma / the teased “big surprise” are handled — CVE assigned, silent patch, or further disclosure from Chaotic Eclipse |
The unhealthy part of this story is not BitLocker itself, but that an upset researcher can push a chain of zero-days out into the open. How Microsoft handles incoming reports is what I keep coming back to here.