How New Windows Zero-Day Bugs Bypass BitLocker and Enable SYSTEM-Level Access

A cybersecurity researcher has disclosed two new zero-day vulnerabilities affecting Windows and also released a proof-of-concept exploit for another flaw that Microsoft patched back in 2020. The disclosures have raised fresh concerns over Windows security, particularly because no official fixes were available for the newly revealed flaws at the time of publication.

The researcher (known as Nightmare-Eclipse) has disclosed two previously unknown Windows zero-day vulnerabilities, named YellowKey and GreenPlasma. The researcher also released proof-of-concept exploits in response to frustration with Microsoft’s vulnerability‑handling process. The flaws are considered high risk, as no official patches were available at the time of disclosure, which raises serious security concerns.

Flaws impact BitLocker and system security layers

Specifically, YellowKey is a vulnerability that compromises BitLocker, which allows its protections to be completely bypassed under specific conditions. It operates through the Windows Recovery Environment (WinRE), which exploits the way it handles encrypted drives. This flaw allows an attacker with physical access to use a USB drive and a particular boot process to open a command shell and gain full access to the encrypted data without needing any credentials or recovery keys.

GreenPlasma is a local privilege escalation flaw that affects the Windows CTFMON component, which supports text input services. It enables attackers with limited access to elevate their privileges to the highest SYSTEM level and execute code without needing administrative credentials by manipulating memory structures that trusted system processes rely on. This flaw ultimately allows full control of the system, including installing malware, stealing data, or maintaining long-term access.

Potential risk of real-world exploitation and attack chains

These two vulnerabilities can be combined into a multi‑stage attack. YellowKey provides initial access to encrypted data, especially when physical access to a device is possible. GreenPlasma is then used to escalate privileges and take full control of the Windows system. This approach enables attackers to carry out more advanced operations such as stealing sensitive data, moving across networks, and deploying ransomware.

These vulnerabilities are part of a larger series of disclosures by the same researcher, who has previously found flaws such as BlueHammer, RedSun, and UnDefend. Some of these vulnerabilities were reportedly exploited soon after becoming public. This pattern has raised concerns that YellowKey and GreenPlasma could also be quickly weaponized. Cybersecurity researchers highlighted that physical‑access attacks like YellowKey pose serious risks to devices such as laptops, and privilege escalation flaws like GreenPlasma are frequently leveraged in real‑world cyberattacks.

Security recommendations for organizations

Organizations are advised to take these vulnerabilities seriously and strengthen both their technical defenses and operational security practices. Security teams should reinforce device protection by restricting unauthorized physical access, securing laptops and servers, and reviewing how BitLocker is configured. They should also closely follow vendor guidance, apply any available mitigations (such as modifying WinRE behavior), and continuously monitor systems for unusual recovery‑environment activity or unauthorized access attempts.

Additionally, organizations need to harden their systems against privilege escalation risks by improving endpoint security, limiting user privileges, and monitoring for suspicious behavior within trusted processes. Moreover, security teams should prioritize patch management, threat detection, and incident response readiness, as well as review overall system configurations to reduce attack surfaces.