A security researcher using the handle Chaotic Eclipse has published proof-of-concept exploits for two unpatched Windows vulnerabilities named YellowKey and GreenPlasma, affecting Windows 11 and Windows Server 2022 and 2025. YellowKey is a BitLocker bypass that exploits a component within the Windows Recovery Environment, allowing attackers to spawn a shell with unrestricted access to encrypted drives without credentials. The exploit involves placing crafted FsTx files on a USB drive or EFI partition, rebooting into WinRE, and holding the CTRL key to trigger the shell.
Independent researcher Kevin Beaumont confirmed the exploit works and recommended using a BitLocker PIN combined with a BIOS password as mitigation. Will Dormann of Tharros Labs explained that YellowKey exploits NTFS transactions in combination with Windows Recovery, causing the winpeshl.ini file to be deleted so that a command prompt launches instead of the recovery environment. The current exploit only works with TPM-only configurations and does not affect TPM plus PIN setups or stolen drives.
The GreenPlasma privilege escalation vulnerability allows unprivileged users to create arbitrary memory-section objects within SYSTEM-writable directory objects, potentially manipulating privileged services or kernel-mode drivers. The released PoC is incomplete but could be turned into a full SYSTEM shell by skilled attackers. The researcher claims Microsoft silently patched a previous disclosure called RedSun without assigning an identifier and promises a big surprise for the next Patch Tuesday. Microsoft stated it remains committed to investigating reported security issues and updating impacted devices as soon as possible. The disclosures follow the researcher's dissatisfaction with Microsoft's handling of bug reports.
Read more...