Loading...
Loading...
Over the past month, Windows updates and fresh vulnerability disclosures have converged to unsettle trust in BitLocker and the Windows boot environment. Microsoft has acknowledged April patches that mistakenly force some devices—particularly enterprise-managed machines with specific TPM/PCR7 settings—into BitLocker recovery, and has issued partial fixes while urging temporary group-policy workarounds. At the same time, a researcher known as Nightmare‑Eclipse published YellowKey, a WinRE-based BitLocker bypass that can unlock drives via a USB payload, plus GreenPlasma, a local privilege escalation PoC. Organizations must tighten physical protections (PINs, BIOS locks), review update rollouts, and expedite remediation to reduce exposure.
Windows updates that change system access or trigger BitLocker recovery can halt user productivity and complicate incident response. Tech professionals must balance patch deployment with risk of boot failures and encryption lockouts across endpoints and servers.
Dossier last updated: 2026-05-13 05:22:10
Security researcher Chaotic Eclipse (Nightmare-Eclipse) published two new zero-days: YellowKey, a BitLocker bypass that yields full access to a locked drive, and GreenPlasma, an alleged local privilege-escalation to SYSTEM. YellowKey is triggered by copying an FsTx folder into a USB drive’s System Volume Information and rebooting into the Windows Recovery Environment while holding Control; it drops an elevated command shell and reportedly removes its traces from the USB. It reportedly affects Windows 11, Server 2022 and 2025 (not Windows 10) and also has variants that could defeat TPM+PIN. GreenPlasma manipulates CTFMon to place a crafted memory section accessible to SYSTEM. Both raise urgent questions for enterprise and government BitLocker trust.
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) published a critical BitLocker zero-day called YellowKey that can unlock BitLocker-protected drives and drop an elevated recovery-mode command prompt simply by copying exploit files to a USB stick and rebooting into Windows Recovery Environment. The exploit reportedly erases its files after use and affects Windows 11, Server 2022 and 2025 (not Windows 10); the researcher says a TPM+PIN bypass variant exists but isn’t public. Eclipse also released details of GreenPlasma, an incomplete PoC that allegedly enables local privilege escalation to SYSTEM by abusing CTFMon and Windows memory section objects. If accurate, YellowKey undermines trust in BitLocker across consumer, enterprise, and government devices.
Microsoft has acknowledged that its April 2026 security update (KB5083769) caused some Windows 10, Windows 11 and Windows Server 2025 devices to boot into BitLocker recovery mode, requiring users to enter recovery keys. The issue is tied to BitLocker group policy and specific TPM validation configurations—notably invalid PCR7 settings—and is most common on enterprise-managed machines. Microsoft issued a May patch (KB5089549) that fixes the problem for Windows 11 25H2, but fixes for Windows 10 and Windows Server 2025 were not yet released. Until full coverage is available, Microsoft advises administrators to remove the “Configure TPM platform validation profile for native UEFI firmware configurations” group policy before deploying the May updates.
An anonymous researcher using aliases Nightmare-Eclipse/Chaotic Eclipse has disclosed two more Windows zero-days—YellowKey, a BitLocker bypass, and GreenPlasma, a privilege escalation bug—shortly after Microsoft's Patch Tuesday. YellowKey allegedly lets an attacker with physical access load files from USB to gain an unrestricted shell on BitLocker-protected machines, raising concerns that stolen laptops could lead to full breaches unless mitigations like BitLocker PINs and BIOS locks are used. GreenPlasma's partial exploit currently triggers UAC prompts, so it requires further weaponization, but experts warn privilege escalation flaws are commonly chained post-compromise for credential harvesting and lateral movement. These are the fourth and fifth Microsoft zero-days the leaker has revealed this year.
An anonymous researcher known as Nightmare-Eclipse (aka Chaotic Eclipse) has published technical details for two new Windows zero-days—YellowKey, a BitLocker bypass, and GreenPlasma, a privilege-escalation giving SYSTEM access—shortly after Microsoft’s May Patch Tuesday. The leaker previously exposed three other Windows zero-days this year and supplied exploit files and instructions, including a USB-based load sequence for YellowKey. Security experts warn the flaws are serious: YellowKey can turn stolen, BitLocker-protected laptops into full data breaches, and GreenPlasma enables elevation to SYSTEM, increasing post-compromise impact. The disclosures heighten urgency for organizations to reassess physical-device protections, endpoint controls, and incident response despite Microsoft’s ongoing patching efforts.
Security researcher Chaotic Eclipse disclosed two unpatched Windows vulnerabilities, YellowKey and GreenPlasma, affecting Windows 11 and Windows Server 2022/2025. YellowKey can bypass BitLocker on systems that use TPM-only protection by placing a crafted FsTx file on a USB drive or writing to the EFI partition, then entering WinRE and triggering a shell; independent researchers confirmed the FsTx USB method and recommend adding a BitLocker PIN and BIOS password. GreenPlasma is a local privilege-escalation concept that lets low-privilege users create arbitrary memory section objects in SYSTEM-writable path objects to influence higher-privilege services/drivers, but its PoC is incomplete and does not yet yield a full SYSTEM shell. Both findings highlight attack vectors against Windows boot and local trust assumptions.
Researcher YellowKey disclosed a BitLocker bypass in the Windows Recovery Environment (WinRE) that allows an attacker with physical access to gain an unrestricted shell into a BitLocker-protected volume. The exploit involves copying an FsTx folder into the USB/System Volume Information or the EFI partition, rebooting into WinRE via Shift+Restart, and using a specific keypress sequence to spawn an elevated shell. The bug appears only in Windows 11 and Server 2022/2025 WinRE images, not Windows 10, and the researcher notes a suspicious presence of an identical component in standard Windows installs that lacks the exploit-triggering functionality. Microsoft, MSTIC, MORSE and GHOST were thanked for coordinated disclosure.
A researcher disclosed a critical BitLocker bypass in Windows Recovery Environment (WinRE) that can yield an elevated shell with access to BitLocker-protected volumes. By placing a crafted FsTx folder into a drive’s System Volume Information (or copying it into the EFI partition), then rebooting into WinRE with a specific key-sequence (hold SHIFT while clicking Restart, then release and hold CTRL), the attacker obtains an unrestricted shell that can access encrypted volumes. The issue appears limited to Windows 11 and Server 2022/2025 images and involves a component present only in WinRE with behavior absent from normal installs, raising concerns about intentional design or an extreme oversight. Microsoft and security teams (MORSE, MSTIC, GHOST) were thanked for coordinated disclosure.
Microsoft released the May extended security update KB5087544 for Windows 10 Enterprise LTSC and devices enrolled in ESU, raising builds to 19045.7291 (ESU) and 19044.7291 (LTSC). The cumulative update fixes 120 vulnerabilities — including 14 remote code execution, 61 privilege escalation, and other severity classes — but no zero-days. It also fixes a remote desktop warning display bug introduced by April’s patch (affecting multi-monitor, mixed-DPI .rdp sessions), enhances Windows Security to show dynamic Secure Boot state and expands coverage for new Secure Boot certificates. Microsoft warns some devices may prompt for BitLocker recovery keys after install and provides a temporary mitigation; a permanent fix is pending. This matters for enterprise stability and security posture.
RedSun: System user access on Win 11/10 and Server with the April 2026 Update | Hacker News Hacker News new | past | comments | ask | show | jobs | submit login RedSun: System user access on Win 11/10 and Server with the April 2026 Update ( github.com/nightmare-eclipse ) 5 points by airhangerf15 58 minutes ago | hide | past | favorite | discuss help Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact Search:
Microsoft confirmed that two recent Windows 11 updates—KB5083769 and KB5082052—can incorrectly trigger BitLocker recovery on affected machines, forcing users to enter recovery keys to boot. The company acknowledged the issue, pointed to specific update packages, and is investigating while advising impacted users on mitigation steps. This matters because unexpected BitLocker recovery interrupts productivity, risks data access for enterprises and consumers, and complicates device management for IT teams. The incident highlights the risk of security feature regressions in OS updates and underscores the need for careful rollout and rapid remediation of updates that affect disk encryption and boot processes.