Microsoft users and cybersecurity researchers are closely watching two newly revealed Windows zero-day vulnerabilities called YellowKey and GreenPlasma. Reports say these flaws affect Windows 11 and Windows Server 2022 and 2025 systems. The vulnerabilities were publicly disclosed by a researcher known online as Chaotic Eclipse or Nightmare-Eclipse. The same researcher had earlier revealed multiple Microsoft Defender related security issues this year.
The first vulnerability, YellowKey, is connected to Microsoft BitLocker, the built-in encryption feature used to protect files and drives. Researchers say the flaw exists inside the Windows Recovery Environment, also known as WinRE. This recovery mode is normally used for repairing or troubleshooting systems when Windows faces serious problems. The issue has raised concerns because BitLocker is trusted by businesses and normal users for data protection.
According to reports, the exploit works by placing specially crafted files onto a USB device or EFI partition. After rebooting the target system into recovery mode and triggering a certain process, the attacker may gain access to a command shell. This shell could allow interaction with a BitLocker-protected drive under specific conditions. In simple terms, the flaw may help attackers bypass some BitLocker protections if they have physical access to the system.
Security researcher Will Dormann reportedly tested the vulnerability and confirmed some of the unusual behavior involving Transactional NTFS inside WinRE. Researchers believe the recovery process may allow files to be modified across different storage volumes during execution. One major concern is that even TPM+PIN protection may not fully stop the exploit from working. At the moment, Windows 10 has not been publicly listed among the affected operating systems.
The second vulnerability, called GreenPlasma, is a privilege escalation flaw connected to the Windows Collaborative Translation Framework process. This process is commonly linked with ctfmon.exe, which handles text input and language related features in Windows. Researchers say the flaw may allow attackers with limited access to gain SYSTEM-level privileges. SYSTEM access is considered one of the highest privilege levels inside Windows systems.
Reports also mention that the publicly released proof-of-concept for GreenPlasma is intentionally incomplete. The researcher reportedly designed parts of it like a capture-the-flag challenge and left out some final exploit steps. Even with missing pieces, cybersecurity experts still consider the flaw dangerous because privilege escalation vulnerabilities are commonly used in real attacks. Attackers often combine such vulnerabilities with other exploits to fully compromise systems.
These vulnerabilities are getting major attention because they target two important parts of Windows security, including drive encryption and privilege protection. BitLocker is widely used by organizations, government agencies, and everyday users to keep sensitive data secure. A possible bypass affecting such a trusted security feature naturally increases concern across the cybersecurity community. Researchers also described YellowKey as especially serious because the exploit reportedly works inside the recovery environment itself.
At the time these reports were published, Microsoft had not officially released security patches or CVE assignments for either vulnerability. Because of this, both YellowKey and GreenPlasma are currently being treated as active zero-days by researchers and security experts. Cybersecurity professionals are advising organizations to closely monitor Microsoft advisories and improve physical security around important devices. The vulnerabilities have already sparked large discussions online about the risks involving stolen or unattended systems.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
