Researcher Drops Two Unpatched Windows Zero-Day Exploits, "YellowKey" & "GreenPlasma"

Executive Summary

A security researcher, using the alias Chaotic Eclipse, has publicly disclosed two unpatched zero-day vulnerabilities in Microsoft Windows, releasing proof-of-concept (PoC) exploit code for both. The disclosure was made in an act of protest against the Microsoft Security Response Center (MSRC) bug reporting process. The first vulnerability, dubbed YellowKey, allows an attacker with physical access to bypass BitLocker encryption on modern Windows versions. The second, GreenPlasma, is a local privilege escalation (LPE) flaw in the Windows Collaborative Translation Framework. The public availability of these exploits creates a critical situation for Windows administrators, as there are no official patches, and reports indicate the exploits are already being weaponized.

Vulnerability Details

YellowKey: BitLocker Encryption Bypass

• Description: A critical vulnerability that allows an attacker with physical access to a device to bypass BitLocker full-disk encryption. It affects Windows 11, Windows Server 2022, and Windows Server 2025.
• Attack Vector: The exploit leverages the Windows Recovery Environment (WinRE). An attacker places specially crafted FsTx files onto a USB drive or the system's EFI partition. By rebooting the machine into WinRE, a command shell is triggered, providing access to the unlocked, decrypted BitLocker-protected volume.
• Impact: Complete loss of data confidentiality on stolen or physically accessed devices, even those protected by BitLocker. The researcher claims it works even with TPM+PIN, though this is debated, with others only confirming it on TPM-only systems. This is a form of T1553 - Subvert Trust Controls.

GreenPlasma: Local Privilege Escalation

• Description: An LPE vulnerability in the Windows Collaborative Translation Framework service (CTFMON).
• Attack Vector: The PoC demonstrates how a low-privileged user can create arbitrary memory-section objects. This can be abused to manipulate privileged services that interact with the CTFMON service, ultimately allowing the attacker to execute code with SYSTEM-level privileges.
• Impact: A local attacker or malware that has gained initial low-privileged access can use this exploit to gain full control over the system, allowing them to disable security software, steal credentials, and deploy ransomware. This is a classic T1068 - Exploitation for Privilege Escalation.

Exploitation Status

Both vulnerabilities are considered zero-days with publicly available PoC exploit code. This significantly lowers the bar for other threat actors to adopt and weaponize them. Reports from security news outlets suggest that the exploits were already being integrated into active attack campaigns within 24 hours of their public release.

Impact Assessment

The public disclosure of unpatched, working exploits for critical vulnerabilities presents a severe risk to all organizations using modern Windows operating systems.

• YellowKey undermines the trust in BitLocker, a foundational security feature for protecting data at rest. This is particularly dangerous for laptops and mobile devices that are at risk of being lost or stolen.
• GreenPlasma provides a reliable pathway for attackers to escalate privileges. Most advanced cyberattacks rely on LPE to move from an initial foothold (e.g., a compromised user account) to full domain compromise.

The combination of these two flaws being available simultaneously creates a potent cocktail for attackers.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

• For YellowKey:

  • Physical Security Logs: Any instance of unauthorized physical access to a server or laptop should be treated as a potential compromise.
  • Boot Logs: Monitor for unexpected reboots into the Windows Recovery Environment (WinRE). This is highly anomalous for server systems.
  • File System: Look for the presence of unusual FsTx files on EFI partitions or removable media connected to sensitive systems.

• For GreenPlasma:

  • Process Monitoring: Monitor for anomalous behavior or unexpected child processes originating from the ctfmon.exe process.
  • Memory Analysis: Advanced memory forensics may be able to detect the creation of malicious memory-section objects, though this is difficult to perform at scale.

Detection Methods

• EDR/Behavioral Analysis: Configure EDR solutions to alert on suspicious process chains involving ctfmon.exe or any attempts by low-privilege processes to interact with system-level services in an unusual manner.
• WinRE Monitoring: While difficult, it may be possible to monitor for changes to the WinRE configuration (ReAgentc.xml) or for logs indicating the system has booted into recovery mode.

Remediation Steps

As of this report, there are no official patches from Microsoft. The following are compensating controls:

• For YellowKey:

  1. Physical Security: Enforce strict physical security controls for all sensitive systems, especially servers in data centers. This is the primary mitigation.
  2. BitLocker Pre-boot Authentication: While the researcher claims TPM+PIN is not a full mitigation, it adds a significant barrier. Enforce the use of a PIN or startup key for BitLocker on all endpoints. This prevents the system from booting to WinRE without user authentication.

• For GreenPlasma:

  1. Application Control: Use application allowlisting (e.g., AppLocker, WDAC) to prevent unprivileged users from running unauthorized code, which is the first step before an LPE exploit can be used.
  2. Principle of Least Privilege: Ensure users do not have local administrator rights. This won't stop the LPE exploit itself, but it limits the damage an attacker can do before attempting to escalate.
  3. Monitor for Updates: Be prepared to deploy Microsoft's security update for these vulnerabilities on an emergency basis as soon as it is released.