By ByteBot
A rogue researcher dropped two more unpatched Windows zero-days on May 13 — the day after Patch Tuesday, by design. YellowKey bypasses BitLocker with nothing more than a USB stick. GreenPlasma escalates any local account to SYSTEM through the CTFMON framework. One has a workaround. The other has nothing. And the researcher says more are coming in June.
YellowKey: Your BitLocker Isn’t as Locked as You Think
YellowKey (CVE-2026-45585, CVSS 6.8) is a BitLocker security feature bypass requiring physical access to the device and a USB stick. No recovery key. No password. No expensive hardware required.
The attack targets the Windows Recovery Environment (WinRE). A specially crafted System Volume Information\FsTx folder is placed on a USB drive — or directly on the device’s EFI partition. The attacker reboots into WinRE, holds Ctrl during recovery, and instead of a locked recovery menu, gets a cmd.exe shell with the BitLocker-protected volume already mounted and readable.
The root cause is autofstx.exe, an FsTx Auto Recovery Utility that WinRE triggers automatically via the BootExecute registry key. YellowKey abuses a behavioral trust assumption in the recovery interface — the crafted FsTx folder hijacks that execution path and drops a shell.
Here is the part that matters: this works against BitLocker in TPM-only mode, which is the default on virtually every Windows 11 machine shipped in the last two years. If your laptop uses BitLocker and you have never set a pre-boot PIN, you are running the vulnerable configuration right now.
Microsoft released an official mitigation on May 21 — not a patch. It requires mounting the WinRE image, editing the system registry hive, removing autofstx.exe from the BootExecute REG_MULTI_SZ value, and recommitting the image. The simpler fix: switch to TPM+PIN mode. A pre-boot PIN blocks the decryption step that YellowKey depends on, and it can be enabled via Group Policy or PowerShell in minutes.
Affected systems: Windows 11 (24H2, 25H2, 26H1), Windows Server 2025 and Server 2025 Core. Windows 10 is not affected.
GreenPlasma: No CVE, No Patch, No Timeline
GreenPlasma is the more structurally dangerous of the two. It is a local privilege escalation to SYSTEM that exploits the CTFMON (Collaborative Translation Framework Monitor) framework. No CVE has been assigned. Microsoft has issued no response. No patch exists. No workaround has been published.
Technically, it works by combining two primitives: an Object Manager symlink placement on a CTF session object, and registry link abuse via the CloudFiles policy structure. The result is an attacker-controlled memory section that CTFMON interacts with as a trusted entity — granting SYSTEM-level access from an unprivileged local account. The researcher withheld the full exploit chain, but security firms including Mandiant and Bridewell have confirmed that threat groups are already updating automated scanning tools to identify vulnerable systems.
Affected: Windows 11, Windows Server 2022, Windows Server 2026.
One Researcher, Six Exploits, Six Weeks
YellowKey and GreenPlasma are the fourth and fifth releases in an ongoing campaign by a researcher operating under the aliases Nightmare-Eclipse and Chaotic Eclipse. Since early April 2026, they have publicly released six Windows zero-days: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. Microsoft has patched exactly one: BlueHammer (CVE-2026-33825).
Every release drops the day after Patch Tuesday. That is not a coincidence — it maximizes the gap before Microsoft can respond through its normal monthly cycle.
The researcher’s motivation is personal. In a public post, they wrote: “I was told personally by them that they will ruin my life and they did.” They claim Microsoft violated an agreement and that this campaign is retaliation. They are rumored to be a former Microsoft employee. They have also claimed a dead man’s switch — additional exploits that release automatically under certain conditions — and have promised “a big surprise” for the June 2026 Patch Tuesday.
Earlier releases in the campaign were linked to active exploitation by infrastructure with Russia-geolocated source IPs within days of publication. YellowKey and GreenPlasma are considered likely to follow the same pattern.
What to Do Now
These are not theoretical vulnerabilities. Here is the prioritized action list:
- Switch BitLocker to TPM+PIN mode immediately. This is the highest-impact single action for YellowKey. Enable via Group Policy: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Require additional authentication at startup, then set TPM startup PIN to required. Or run
manage-bde -protectors -add C: -TPMAndPINfrom an elevated prompt. - Apply the WinRE BootExecute registry workaround if switching to TPM+PIN is not immediately feasible for your fleet. Microsoft’s full steps are in the CVE-2026-45585 advisory.
- Disable USB boot in BIOS/UEFI and set a BIOS admin password on managed and developer machines. This removes the simplest delivery vector for YellowKey.
- For GreenPlasma: Minimize local account privileges on Windows endpoints. Implement application allow-listing where possible. Monitor for anomalous CTFMON behavior. No direct mitigation exists yet — follow the June Patch Tuesday cycle.
- Watch June 2026 Patch Tuesday. The researcher explicitly named it as a target. Whether Microsoft patches GreenPlasma before then is unknown.
The combination of YellowKey and GreenPlasma is a complete attack chain against any Windows 11 machine running default BitLocker settings: physical access unlocks the drive; GreenPlasma handles privilege escalation once a foothold is established. TPM+PIN breaks the first link. Do that first.
