Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

Key Points:

• An anonymous researcher known as Chaotic Eclipse has disclosed two new zero-day vulnerabilities in Windows: YellowKey, a BitLocker bypass in the Windows Recovery Environment (WinRE), and GreenPlasma, a privilege escalation flaw in the Windows Collaborative Translation Framework (CTFMON).
• YellowKey affects Windows 11 and Windows Server 2022/2025, allowing attackers to bypass BitLocker encryption by using specially crafted files on a USB drive and triggering a shell in WinRE, with the exploit working even if TPM+PIN is enabled.
• The privilege escalation vulnerability, GreenPlasma, enables an unprivileged user to create arbitrary memory section objects in SYSTEM-writable directories, potentially allowing manipulation of privileged services, though the proof-of-concept is currently incomplete.
• These disclosures follow previous zero-days reported by the same researcher, including BlueHammer (patched as CVE-2026-33825) and RedSun, the latter reportedly fixed silently by Microsoft without advisory; the researcher has criticized Microsoft's vulnerability disclosure process.
• Separately, a French cybersecurity firm revealed a BitLocker downgrade attack exploiting CVE-2025-48804 that bypasses encryption by loading a modified boot manager, with mitigation requiring enabling BitLocker PIN at startup and updating boot manager certificates, as physical access is needed for the attack.