BitLocker zero-day exposes Windows drives as PoC goes public

Public exploit code raises fresh concerns over Windows disk encryption and local privilege escalation.

YellowKey targets Windows recovery

A researcher has released proof-of-concept (PoC) exploit code for two unpatched Windows flaws, including a BitLocker bypass that can expose encrypted drives on affected systems.

The BitLocker issue, named YellowKey, was published by a researcher using the monikers Chaotic Eclipse and Nightmare Eclipse. It affects Windows 11 and Windows Server 2022/2025 and relies on Windows Recovery Environment, the mode used to troubleshoot boot problems.

Public reports say the PoC uses crafted FsTx files on removable media, then abuses recovery boot behavior to open a command shell while the protected disk remains accessible. Researchers who have tested the technique confirm it works on recent Windows 11 builds, although not every variant has been reproduced.

Why TPM-only BitLocker is exposed

The risk is most immediate for devices using TPM-only BitLocker, a common setup that automatically unlocks the operating system drive during startup. That convenience makes recovery-time abuse dangerous: the device can decrypt itself before a user proves identity.

Microsoft’s BitLocker guidance says startup PINs and other protectors can add pre-boot authentication for higher-risk devices. However, the researcher claims a separate TPM+PIN path exists that has not been fully disclosed, leaving defenders with an incomplete technical picture.

GreenPlasma raises privilege concerns

The second issue, GreenPlasma, is described as a Windows CTFMON privilege-escalation flaw. Its PoC is not complete, but reportedly shows how an unprivileged user could create arbitrary memory-section objects in locations trusted by privileged components.

This complicates matters because local privilege escalation often turns an initial foothold into machine compromise. Even an unfinished PoC can give attackers enough information to build a working exploit chain, particularly when paired with other access vectors.

Microsoft urges coordinated disclosure

Microsoft said it investigates reported security issues and supports coordinated vulnerability disclosure, which gives vendors time to validate and fix bugs before public release. No patch or CVE for YellowKey or GreenPlasma was available as of the time of publication.

Administrators should review BitLocker policy, prioritize physical security, restrict recovery access, monitor suspicious WinRE use and consider stronger pre-boot protection on laptops and systems holding sensitive data.