AN anonymous security researcher has disclosed two new zero-days affecting Windows, one a BitLocker bypass named YellowKey and the other a privilege-escalation flaw tied to Windows Collaborative Translation Framework (CTFMON) called GreenPlasma. YellowKey targets Windows 11 and Windows Server 2022/2025 and works by copying specially crafted FsTx files onto a USB drive or EFI partition, then booting into WinRE to trigger a shell by holding CTRL, effectively leaving BitLocker protection bypassed.
The second vulnerability could let an unprivileged user create arbitrary memory section objects within SYSTEM-writable directories, potentially enabling access to privileged services or drivers, though the PoC is incomplete and does not yet yield a full SYSTEM shell.
The researcher behind these disclosures is known by the aliases Chaotic Eclipse and Nightmare-Eclipse and has previously published Defender zero-days such as BlueHammer, RedSun and UnDefend; Microsoft patched BlueHammer and, per reports, appears to have silently addressed RedSun.
A separate defence note from Intrinsec describes a BitLocker downgrade attack chain exploiting CVE-2025-48804 to bypass encryption on patched Windows 11 systems, and recommends enabling a BitLocker PIN at startup and updating boot manager certificates as mitigations.