An anonymous researcher who signs as Chaotic Eclipse / Nightmare -Eclipse has once again shaken the Windows ecosystem with two new zero- days - baptized by him as YellowKey and GreenPlasma- which point to the physical attack surface and the privilege logic of the operating system. Although technical details are still being analysed and Microsoft has not published a public advice covering these failures, the researcher's description and independent reproductions point to serious problems in the operation of WinRE (Windows Recovery Environment) and in the CTFMON subsystem, respectively, that deserve immediate attention by advanced administrators and users.
YellowKey, according to the researcher, allows BitLocker to jump when the computer starts on WinRE after inserting a USB drive that contains specially manipulated files in a\ System Volume Information\ FsTx folder. The described operation requires the reboot of WinRE with the USB connected and, with a specific sequence (e.g. by maintaining CTRL to force a shell), a cmd.exe prompt is obtained with the encrypted drive already accessible. Independent researchers have replicated the vector and point to an anomalous behavior of transactional NTFS-type operatives that allow data in one unit to affect the content of another, which not only damages BitLocker's confidentiality but also exposes a class of corruption between volumes that deserves in-depth analysis.
GreenPlasma is located in another flank: an elevation of privileges associated with the arbitrary creation of memory sections by CTFMON, the historical component that manages text entry and language services on Windows. Although the PoC published by the researcher is incomplete and does not manage to deliver a final SYSTEM shell on its own, the vector described would allow an unprivileged user to create objects on routes that should be limited to high privilege processes, which can facilitate manipulations of services or drivers that implicitly trust those routes.
These revelations do not come in vacuum: the same researcher had published last month three zerodays that affected Microsoft Defender (BlueHammer, RedSun and UnDefense), and that, according to him, were not managed to their satisfaction by Microsoft. The situation has escalated to turn disclosure into public pressure; Microsoft reaffirms that it supports coordination in disclosure and that it investigates reports through its security response centre ( Microsoft Security Response Center), but the dynamics between researchers and suppliers are now one of the factors that conditions the speed and transparency of the patches.
In parallel, reports published by the French firm Intrinsec resumed a different technique from bypass to BitLocker that takes advantage of a regression in the boot manager and the verification of WinRE images to load a WIM controlled by the attacker. This technique, linked to the CVE publicly referred to as CVE-2025-48804, shows that the boot confidence chain can fail if a vulnerable version of bootmgfw.efi signed by a still reliable certificate (PCA 2011) can be loaded; the strategic mitigation for this problem goes by migrating to more recent certificates (CA 2023) and revoking the old ones, in addition to keeping Secure Boot and firmware up to date. More context about BitLocker and best practices are available in Microsoft official documentation ( BitLocker - Microsoft Learn) and in public vulnerability databases such as NVD ( CVE-2025-48804).
What does this mean for companies and users? First, it is crucial to understand the vector: many of these techniques require physical access to equipment (USB insertion, EFI partitions handling, external media boot). This requirement does not make them trivial, but it does make them very dangerous in environments where physical access control is weak (shared offices, classroom, transit devices). Second, the existence of failures in WinRE and in the memory management subsystem means that defending itself with software policies is not enough; boot controls, firmware and response processes are needed.
Specific and priority actions that should be considered as advanced managers and users include: apply all Windows updates and firmware as soon as they are available; configure BitLocker with strong pre-boot authentication(e.g. TPM + PIN or startup PIN) and avoid relying exclusively on TPM protection without PIN - although the researcher claims that its explosion also affects TPM + PIN, a PIN at least increases the barrier against several physical vectors -; force the migration of the boot manager to updated certificates and deploy the revocation of old signatures in managed environments; and minimize exposure to removable media through policies that restrict automatic execution and record the insertion of USB units. In addition, in corporate environments it is appropriate to deploy controls such as Windows Defender Application Control (WDAC) or AppLocker to limit the execution of unauthorized binaries and BitLocker rules that disable WinRE or limit its functions on critical equipment.
From detection and response, I recommend auditioning the existence of\ System Volume Information\ FsTx directories in removable volumes and reviewing start and WinRE log for unusual events; it is also prudent for endpoint teams to monitor the creation of memory sections and the handling of directory objects by processes with low privilege. For more serious organizations, the physical segregation of critical devices and the use of measures such as hardware-signed start managers or external start-up prevention through UEFI / firmware are reasonable investments.
Finally, this series of divulgations illustrates two things: on the one hand, that the area of physical attack and system recovery remains an attractive and ununderstood vector; on the other, that the relationships between researchers and manufacturers determine to a large extent how and when risks are mitigated. It is legitimate to demand greater transparency and more agile response processes, but it is also the responsibility of managers and users to implement the measures available today to reduce the exposure window. Maintaining patches, hardening pre-boot and controlling physical access are, for now, the most effective defenses against threats such as YellowKey and GreenPlasma.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...