YellowKey & GreenPlasma: Unpatched Windows Zero-Days Bypass BitLocker and Escalate to SYSTEM

On May 13, 2026 — one day after Microsoft's May Patch Tuesday — a researcher operating under the alias Chaotic Eclipse publicly released proof-of-concept exploit code for two unpatched Windows vulnerabilities. Neither carries a CVE identifier. Neither has a patch. Both are fully weaponized and target the backbone of enterprise endpoint security: disk encryption and privilege boundaries.

YellowKey: BitLocker Full-Volume Encryption Rendered Irrelevant

YellowKey targets the Windows Recovery Environment (WinRE) on systems running Windows 11 and Windows Server 2022/2025 with BitLocker enabled. The attack chain is disturbingly simple: an attacker places specially crafted "FsTx" files onto a USB drive or the EFI System Partition, forces the machine to reboot into WinRE, and holds the CTRL key to trigger a shell. From that shell, the attacker gains unencrypted access to the BitLocker-protected volume — no recovery key required, no TPM PIN to brute-force, no sophisticated hardware interposer needed.

The implications are severe for any organization that relies on BitLocker as a compensating control for device theft or physical access scenarios. Laptops left in hotel rooms, devices in transit between branches, or hardware decommissioned without proper data destruction — all become data exfiltration vectors. For institutions handling cardholder data under PCI-DSS Requirement 3.4 or classified information under NCA ECC controls, a BitLocker bypass directly undermines the encryption layer that satisfies regulatory audit evidence.

GreenPlasma: CTFMON Becomes a SYSTEM-Level Backdoor

GreenPlasma is a local privilege escalation exploit targeting ctfmon.exe, a trusted Windows process that runs as SYSTEM in every interactive session to manage text input services. The exploit manipulates registry settings and object manager permissions to plant an arbitrary memory section object in a directory normally writable only by SYSTEM. When CTFMON interacts with this planted object — which it does automatically because it trusts the directory — the attacker escalates from an unprivileged user account to full SYSTEM privileges.

GreenPlasma affects Windows 11 and Windows Server 2022/2025. Because ctfmon.exe is a legitimate, always-running Microsoft binary, the escalation bypasses application whitelisting solutions and evades most EDR behavioral detections. The process is signed by Microsoft, runs in every session, and its interactions with the object manager are considered normal behavior. Traditional indicators of compromise — suspicious parent-child process relationships, unsigned binaries, abnormal network connections — simply do not fire.

The Disclosure Timeline Reveals a Systemic Problem

Chaotic Eclipse did not drop these exploits without warning. According to multiple reports, the researcher had previously submitted both vulnerabilities through Microsoft's Security Response Center (MSRC) and followed responsible disclosure timelines. When Microsoft's response did not meet the researcher's expectations — a pattern that has become increasingly common — the PoCs were timed for release the day after Patch Tuesday, ensuring the maximum window of exposure before the next scheduled patch cycle in June 2026.

This is the sixth zero-day disclosure from this researcher in six weeks, a campaign that Barracuda Networks has dubbed "Nightmare-Eclipse." The pattern is deliberate: each release targets a different Windows subsystem, each is dropped post-Patch Tuesday, and each exploits a component that organizations assume is trustworthy. The message is clear — the traditional 90-day disclosure window is under pressure, and defenders cannot rely on vendor patch cycles alone.

Direct Impact on Saudi Financial Institutions

Saudi financial institutions operating under SAMA's Cyber Security Compliance Committee (CSCC) framework face specific exposure from both vulnerabilities. SAMA CSCC Domain 3 (Technology) mandates encryption of data at rest on all endpoints handling financial data. If BitLocker is the primary control satisfying this requirement — and for most Windows-based environments in the Kingdom, it is — YellowKey creates a direct compliance gap that auditors will flag.

GreenPlasma compounds the risk. NCA's Essential Cybersecurity Controls (ECC) require organizations to implement least-privilege access models and monitor for privilege escalation attempts (ECC 2-3-1). An escalation technique that abuses a signed Microsoft process and leaves no anomalous forensic trail renders standard SIEM detection rules ineffective. SOC teams monitoring for Sysmon Event ID 1 anomalies or PowerShell-based escalation will see nothing.

Under PDPL Article 29, controllers must implement appropriate technical measures to protect personal data. An unpatched privilege escalation path to SYSTEM on every Windows endpoint in the enterprise is difficult to defend as "appropriate" during a regulatory inquiry following a breach.

Practical Mitigation Steps Before a Patch Arrives

1. Restrict WinRE access immediately. Use reagentc /disable on all managed endpoints to prevent booting into the Windows Recovery Environment. This breaks the YellowKey attack chain at the entry point. Document this change and re-enable WinRE only during controlled maintenance windows.
2. Enforce TPM+PIN for BitLocker. While YellowKey bypasses the recovery environment, adding a pre-boot PIN authentication via Group Policy (Require additional authentication at startup) adds a layer that the current PoC does not address. Mandate this across all laptops and mobile endpoints.
3. Audit USB and EFI partition write access. YellowKey requires writing files to a USB drive or the EFI partition. Endpoint protection policies should restrict USB mass storage device mounting to authorized devices only, and EFI partition write access should be locked to SYSTEM and Administrators via NTFS ACLs.
4. Deploy CTFMON monitoring rules. While GreenPlasma evades standard detection, custom Sysmon rules can monitor for registry modifications in the CTFMON-related keys (HKLM\SOFTWARE\Microsoft\CTF) and object manager directory changes. Alert on any non-SYSTEM process modifying these paths.
5. Implement application control beyond whitelisting. Solutions like Windows Defender Application Control (WDAC) with supplemental policies can restrict what signed binaries are allowed to load untrusted memory sections. Configure WDAC to block DLL side-loading scenarios that GreenPlasma leverages.
6. Accelerate endpoint hardening assessments. Conduct an immediate gap analysis of all Windows endpoints against these specific attack vectors. Prioritize internet-facing servers, executive laptops, and systems processing SAMA-classified financial data.

Conclusion

YellowKey and GreenPlasma are not theoretical research — they are weaponized exploits with public PoC code, zero patches, and zero CVE identifiers. The Nightmare-Eclipse campaign has demonstrated that a single motivated researcher can systematically dismantle trust in foundational Windows security controls. For Saudi financial institutions, the gap between these disclosures and Microsoft's next patch cycle is an operational risk window that demands immediate, compensating action rather than passive waiting.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and endpoint hardening review tailored to these emerging zero-day threats.