Back

New Windows Zero-Day Vulnerabilities: YellowKey and GreenPlasma Exploits Released

Severity: High (Score: 69.9)

Sources: github.com, Cybersecuritynews, Theregister, cvereports.com, www.tomshardware.com

Summary

Security researcher Nightmare-Eclipse has disclosed two critical zero-day vulnerabilities affecting Windows 11 and Windows Server 2022/2025. The first, YellowKey, allows attackers to bypass BitLocker encryption, granting unrestricted access to protected drives by exploiting the Windows Recovery Environment. The second, GreenPlasma, is a privilege escalation flaw that enables local users to gain SYSTEM privileges by manipulating the CTFMON process. Both vulnerabilities were released shortly after Microsoft's Patch Tuesday updates, raising concerns about their potential exploitation in the wild. The researcher claims that YellowKey functions like a backdoor, as it relies on a component found only in the recovery environment. The vulnerabilities affect systems that utilize BitLocker for encryption, particularly in enterprise settings. Currently, there are no official patches or mitigations from Microsoft for these vulnerabilities. Key Points: • Nightmare-Eclipse disclosed two zero-day vulnerabilities: YellowKey and GreenPlasma. • YellowKey allows bypassing BitLocker encryption, providing unrestricted access to protected drives. • GreenPlasma enables local privilege escalation to SYSTEM privileges, posing significant risks.

Key Entities

  • Chaotic Eclipse (apt_group)
  • Nightmare Eclipse (apt_group)
  • Privilege Escalation (attack_type)
  • Zero-day Exploit (attack_type)
  • Microsoft (company)
  • CVE-2026-32201 (cve)
  • CVE-2026-33825 (cve)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • vulnerabilities.it (domain)
  • BlueHammer (vulnerability)
  • RedSun (vulnerability)
  • GreenPlasma (vulnerability)
  • UnDefend (vulnerability)
  • Yellow Key (vulnerability)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • T1112 - Modify Registry (mitre_attack)
  • BitLocker (platform)
  • EFI (platform)
  • Microsoft Defender Antimalware Platform (platform)
  • NTFS (platform)
  • TPM (platform)
  • Cmd.exe (tool)
  • Collaborative Translation Framework (tool)
  • MpSigStub.exe (tool)
  • MsMpEng.exe (tool)
  • PowerShell (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed