Two unpatched Microsoft Windows vulnerabilities with working proof-of-concept exploits were publicly released Tuesday by researchers operating under the pseudonyms “Chaotic Eclipse” and “Nightmare Eclipse,” who stated their decision to drop the exploits without coordinated vendor patches followed dissatisfaction with Microsoft’s vulnerability handling process. The two flaws — YellowKey and GreenPlasma — enable BitLocker full-disk encryption bypass and escalation to SYSTEM-level privileges, respectively. Neither has received a patch, and Microsoft had not publicly acknowledged a fix timeline at time of publication.
How YellowKey Bypasses BitLocker Even with TPM PIN Protection
YellowKey targets Windows BitLocker, the full-disk encryption feature built into Windows that protects data on machines that are powered off or physically stolen. The vulnerability allows an attacker with physical access to a target machine to access the contents of a BitLocker-protected drive without knowing the decryption credentials — and the bypass works even when TPM PIN protection is enabled, a configuration many organizations deploy specifically because it adds a second authentication factor beyond the TPM hardware check.
The attack procedure described in the released PoC involves copying the exploit folder to a USB drive, inserting it into the target machine, rebooting into the Windows Recovery Environment, and accessing command prompts through specific key combinations. An alternative exploitation path operates by modifying the EFI partition on the target drive. Both methods require that the attacker be physically present at the machine.
GreenPlasma’s Path to SYSTEM Privilege via Memory Section Objects
GreenPlasma operates without any physical access requirement, targeting Windows privilege escalation from within an authenticated user session. The vulnerability works by creating arbitrary memory section objects in any directory object in the Windows object namespace that is writable by the System account. Through manipulation of these section objects, an attacker can influence the behavior of Windows services and kernel-mode drivers in a way that escalates the attacker’s session to full SYSTEM-level access.
The researchers who published GreenPlasma deliberately omitted the final SYSTEM shell code from the released PoC — a partial disclosure intended to demonstrate exploitability while nominally reducing turnkey weaponization. However, the researchers themselves acknowledged that the released code is sufficient for exploitation by skilled threat actors who can complete the missing steps independently.
Chaining YellowKey and GreenPlasma for Combined Attack Scenarios
The two vulnerabilities were presented together as a paired threat scenario. In a combined attack, GreenPlasma provides the privilege escalation step — converting a low-privileged session into SYSTEM access on a compromised machine. YellowKey then addresses the disk encryption layer, allowing a physical access attacker to defeat BitLocker on a machine that has already been compromised or physically seized. Together, the two flaws cover a realistic post-exploitation sequence: escalate privileges on a running system, then neutralize the disk encryption protecting data at rest.
For targeted physical access attacks — corporate espionage scenarios involving stolen laptops or border crossing seizures — the combination of SYSTEM escalation and BitLocker bypass represents a meaningful capability gap that organizations typically rely on full-disk encryption to close.
PoC Release Following Microsoft Vulnerability Handling Disputes
The public release without patches is a significant aspect of this disclosure. Chaotic Eclipse and Nightmare Eclipse attributed their decision to drop both PoCs to dissatisfaction with Microsoft’s response process — a pattern that has appeared with increasing frequency as researchers grow frustrated with extended patch timelines and reduced security research payouts from major vendors.
Both vulnerabilities remain unpatched. Microsoft had not disclosed a patch timeline or formally acknowledged the vulnerabilities in public communications at the time of the PoC release. Organizations relying on BitLocker to protect sensitive data on employee devices — particularly those in high-risk physical environments such as executive travel, field operations, or border crossings — face a window of elevated risk that cannot be closed through software patching until Microsoft addresses YellowKey. For GreenPlasma, network defenders can monitor for anomalous memory section object creation as a detection signal while awaiting a vendor fix.
