top of page
Search

YellowKey and GreenPlasma: Windows zero-days, no patch yet

  • 2 days ago
  • 8 min read
Windows YellowKey ZeroDay

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published: May 18, 2026

Last updated: May 18, 2026

 

On May 12, 2026 — one day after Microsoft's May Patch Tuesday — a researcher using the alias Chaotic Eclipse published working proof-of-concept exploit code for two unpatched Windows zero-days. YellowKey bypasses BitLocker drive encryption on Windows 11 and Windows Server 2022/2025 with physical access and a USB stick. GreenPlasma escalates privileges to SYSTEM on Windows 11 and Windows Server 2022/2026 after a foothold. Neither has a CVE or a Microsoft fix. The next scheduled patch cycle is June 2026.


What did the researcher actually release on May 12?


On May 12, 2026 — the day after Microsoft's May Patch Tuesday — a researcher operating under the aliases Chaotic Eclipse and Nightmare-Eclipse published proof-of-concept exploit code on GitHub for two unpatched Windows zero-day vulnerabilities. The first, YellowKey, bypasses BitLocker drive encryption. The second, GreenPlasma, escalates privileges to SYSTEM on Windows 11 and Windows Server 2022/2026 systems.


Independent researchers, including Kevin Beaumont and Will Dormann, have reproduced the YellowKey exploit and confirmed it works against current Windows 11 builds, according to BleepingComputer and SecurityWeek. Microsoft told SecurityWeek it is "actively investigating the validity and potential applicability of these claims," but has not issued an out-of-band patch as of May 18, 2026. The next scheduled fix cycle is June 2026.


This is the third consecutive month the same researcher has dropped zero-day exploits the day after Patch Tuesday. Earlier 2026 disclosures from Chaotic Eclipse — BlueHammer (CVE-2026-33825), RedSun, and UnDefend — also went public without a Microsoft fix in hand. Huntress reported that threat actors began exploiting BlueHammer on April 10, 2026, four days before Microsoft's patch rolled out, according to SecurityWeek. The release-then-exploit pattern is no longer hypothetical.


How does the YellowKey BitLocker bypass work?


YellowKey exploits a flaw in the Windows Recovery Environment (WinRE) to bypass BitLocker drive encryption on a target system. The attack flow, as published by Chaotic Eclipse and reproduced by independent researchers, is straightforward in the worst possible way. An attacker places specially crafted "FsTx" files on a USB drive or EFI partition, plugs the USB drive into a target Windows 11 computer with BitLocker protections turned on, reboots into WinRE, and triggers a shell by holding the CTRL key during boot.


The resulting cmd.exe shell provides unrestricted access to the BitLocker-protected volume — no recovery key required, no user credentials, no TPM PIN in the default scenario. Will Dormann, who reproduced the exploit, observed on Mastodon that "Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE," which he described as a separate vulnerability worth investigating in its own right.


The critical constraint is physical access. YellowKey cannot be exploited remotely at scale. That changes the threat model from "everyone, immediately" to "anyone whose physical devices may leave the office" — which in practice means anyone running a laptop fleet, anyone whose staff travel, and anyone in healthcare, finance, or government where stolen laptops have a documented history of triggering breach notifications. Chaotic Eclipse also claimed YellowKey works on devices protected with TPM and a pre-boot PIN, but did not publish a proof-of-concept for that variant, according to BleepingComputer.


How does the GreenPlasma privilege escalation work?


GreenPlasma is a Windows privilege escalation vulnerability that targets CTFMON (ctfmon.exe), a trusted Windows process that runs as SYSTEM in every interactive user session and handles text input services. Chaotic Eclipse describes it formally as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability," according to SecurityWeek's coverage.


The exploit allows an unprivileged user to create arbitrary memory-section objects inside directory objects writable only by SYSTEM. Once an attacker controls a memory section that the operating system fully trusts, the path opens to manipulating kernel-mode drivers, injecting malicious shell code, or planting fake DLL libraries that privileged services will load. The end state is a SYSTEM-level shell on the target machine.


The proof-of-concept Chaotic Eclipse released is deliberately incomplete. The researcher framed the public version as a "capture-the-flag challenge" and removed the final component needed to spawn a full SYSTEM shell, according to Cybernews. That is cold comfort. Privilege escalation is rarely the initial intrusion vector — it is what attackers reach for after they already have a foothold. With public proof-of-concept code as a starting point and SYSTEM-level access as the payoff, the gap between "incomplete PoC" and "weaponized exploit in commodity malware" is days, not months.


Which Windows versions are at risk?


YellowKey affects Windows 11 and Windows Server 2022/2025. Windows 10 is not affected, according to Chaotic Eclipse's published research and SecurityAffairs reporting. GreenPlasma affects Windows 11 and Windows Server 2022/2026, per ThreatLocker's technical writeup.


The Windows 10 carve-out for YellowKey is the most operationally interesting detail. Chaotic Eclipse has speculated publicly that the WinRE component responsible for the bypass appears to exist only in Windows 11 and the corresponding Server versions, calling it suspicious enough to raise "backdoor" speculation. That speculation is not confirmed and Microsoft has not addressed it. What is confirmed is that the most modern, most-deployed business Windows versions are the ones at risk.


For organizations running fleet mixes — typical for mid-market businesses with multi-year hardware refresh cycles — the practical implication is that Windows 11 endpoints and Server 2022/2025 hosts need a different mitigation plan than legacy Windows 10 endpoints over the next four to six weeks. Knowing what runs where is the prerequisite to any of this. Asset inventory accuracy is the unglamorous control that matters most when the next zero-day drops.


Why is this researcher dropping zero-days at Microsoft?


Chaotic Eclipse has stated publicly that the timing of these releases — always the day after Patch Tuesday — is retaliation against Microsoft for what the researcher describes as poor handling of prior coordinated disclosure attempts. In commentary posted alongside the GreenPlasma proof-of-concept, the researcher wrote: "I hope you at least attempt to resolve the situation responsibly, I'm not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer. The fire will go as long as you want, unless you extinguish it or until there [is] nothing left to burn," according to The Hacker News.


Chaotic Eclipse has also promised a "big surprise" coinciding with Microsoft's June 2026 Patch Tuesday release. For security planners, that means assuming another unpatched Windows zero-day drops in mid-June and building the next four weeks accordingly. Hoping the researcher relents is not a security plan.


Whatever the merits of the dispute, the structural lesson for businesses is that Microsoft's monthly patch cadence now operates inside an adversarial timeline. Coordinated disclosure assumed a vendor and a researcher cooperating in good faith. Public-PoC-on-Patch-Tuesday-plus-one is a different model. Organizations need to plan as if the next critical Windows vulnerability will be public before the patch ships, because that is exactly what has happened three months running.


What businesses should do before the June patch cycle


Microsoft has not committed to an out-of-band patch for YellowKey or GreenPlasma as of May 18, 2026. The June Patch Tuesday is the next confirmed window. Until then, the following actions reduce exposure for most mid-market businesses without requiring extraordinary effort.


  1. For YellowKey: enable a BitLocker pre-boot PIN on every Windows 11 laptop. Kevin Beaumont has recommended a BitLocker PIN plus a BIOS password as the practical mitigation. While Chaotic Eclipse claims the TPM-plus-PIN variant is also exploitable, no proof-of-concept exists for it publicly, and the published exploit does not bypass a PIN. The bar moves from "any stolen laptop" to "a stolen laptop where the attacker also has the PIN or finds the WinRE-bypass variant."

  2. Treat every off-premises Windows 11 laptop as exposed for the next four to six weeks. Update laptop loss and theft procedures to require immediate password resets, session revocation, and conditional access checks for any accounts the user accessed from the device. Assume BitLocker is not a barrier in the worst-case scenario.

  3. For GreenPlasma: tighten application allowlisting and endpoint detection. Privilege escalation only matters if an attacker already runs code on the endpoint. A default-deny allowlist on Windows 11 and Server 2022/2026 systems makes the foothold itself harder. Endpoint detection rules looking for unusual memory-section creation in SYSTEM-writable directories will not stop the exploit, but they will surface it for response teams to act on.

  4. Pull the May Patch Tuesday deployment status for Windows 11 and Server 2022/2026 hosts. The May rollup addressed 137 unrelated CVEs, according to multiple reports. A surprising share of mid-market fleets are still behind on May patches three weeks into the cycle. Catch up first; that closes the much larger known attack surface while the YellowKey and GreenPlasma situations remain unpatched.

  5. Confirm the incident response retainer covers physical-access and privilege-escalation scenarios. Many retainers default to remote intrusion playbooks. A laptop-theft incident that turns into a BitLocker bypass case looks different. Purple Shield Security's incident response services, risk assessment, and Fractional CISO work cover precisely this kind of scenario for small, mid-market and regulated businesses — and the time to clarify scope is before the call goes out at 2 a.m.


Frequently asked questions


Has Microsoft confirmed the YellowKey and GreenPlasma flaws?

Microsoft has not formally confirmed either vulnerability as of May 18, 2026. A Microsoft spokesperson told SecurityWeek that the company "is aware of the purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services." Neither YellowKey nor GreenPlasma has a CVE identifier assigned. Multiple independent researchers, including Kevin Beaumont and Will Dormann, have reproduced YellowKey on current Windows 11 builds.


Is YellowKey actually a Microsoft backdoor?

Chaotic Eclipse has called YellowKey a "backdoor" on the basis that the vulnerable component appears only in the Windows Recovery Environment image and not in regular Windows installations. That language is the researcher's interpretation, not a confirmed finding. Microsoft has not addressed the backdoor claim. The technical behavior — physical-access BitLocker bypass via WinRE on Windows 11 and Server 2022/2025 — is verified. The intent behind it is not. Treat it as an unpatched vulnerability and stop there.


Does TPM + PIN protect against YellowKey?

The publicly released YellowKey exploit does not work against systems protected by TPM plus a pre-boot PIN. Chaotic Eclipse has claimed the TPM-plus-PIN variant is exploitable but has not released proof-of-concept code for it. As a practical mitigation, enabling a BitLocker pre-boot PIN materially raises the bar for the published attack and is the recommendation from researcher Kevin Beaumont. Organizations should not assume TPM + PIN is permanently safe but should treat it as the best available mitigation until Microsoft patches the flaw.


Should we disable BitLocker until a patch ships?

No. Disabling BitLocker creates a worse outcome than leaving it enabled. BitLocker protects against the overwhelming majority of laptop-theft scenarios — opportunistic theft, lost-device events, secondary-market resale of stolen drives. YellowKey requires a targeted attacker with physical access and the specific exploit. Removing encryption to mitigate one zero-day exposes every device to every other physical-access scenario. The correct response is to add a pre-boot PIN, tighten laptop handling procedures, and wait for the patch.


Will GreenPlasma be exploited even without the missing exploit piece?

Almost certainly yes, on a timeline of days to weeks. The publicly released GreenPlasma proof-of-concept is intentionally incomplete, but the architectural primitive — arbitrary memory section creation in a SYSTEM-writable directory — is fully demonstrated. Sophisticated attackers will treat the missing piece as a development task, not a barrier. Chaotic Eclipse's prior disclosures (BlueHammer) saw active exploitation within four days of public proof-of-concept release. The realistic planning assumption is that weaponized GreenPlasma variants will appear in commodity malware before Microsoft's June Patch Tuesday.

 

Two unpatched Windows zero-days with public exploit code, four weeks until the next scheduled patch cycle, and a researcher who has promised another disclosure at the June Patch Tuesday is not a routine month for endpoint security teams. Most mid-market businesses do not need a new tool to handle this. They need a current asset inventory, an enforced pre-boot PIN policy, a tested incident response runbook, and someone who has done the playbook before. Purple Shield Security's risk assessment services, incident response support, and vCISO services are built for exactly this kind of compressed-timeline scenario.

 
 
bottom of page