An anonymous researcher has disclosed two new Windows zero-days that affect BitLocker and Windows Collaborative Translation Framework, or CTFMON, while also publishing technical details and proof-of-concept code for the issues. The findings follow earlier Microsoft Defender disclosures and include a BitLocker bypass tied to Windows Recovery Environment and a privilege escalation path that could lead to SYSTEM access.
KEY FACTS
- BitLocker flaw The YellowKey issue affects Windows 11 and Windows Server 2022 and 2025.
- Recovery environment The bypass works in Windows Recovery Environment and can be triggered with a USB drive and a reboot.
- Privilege escalation GreenPlasma targets CTFMON and may allow a standard user to create objects that affect privileged services.
- Previous disclosures The same researcher recently published three Microsoft Defender zero-days.
A technical disclosure said the BitLocker bug, codenamed YellowKey, can be used to obtain a shell from WinRE even when BitLocker protections are enabled. The researcher said TPM plus PIN does not stop the issue.
The report described the flaw as involving specially crafted FsTx files placed on a USB drive or EFI partition. After the drive is attached and the machine boots into recovery mode, holding the Ctrl key can trigger a shell instead of the expected recovery workflow.
Security researcher Will Dormann said he was able to reproduce the behavior with a USB drive attached. He said Transactional NTFS data on one volume appeared able to delete a file on another volume, which led to a cmd.exe prompt with BitLocker unlocked.
The second issue, GreenPlasma, is described as a privilege escalation flaw tied to arbitrary section creation in CTFMON. The proof of concept is incomplete, but the disclosure says it could allow an unprivileged user to create memory section objects in directory objects writable by SYSTEM and potentially affect services or drivers that trust those paths.
The latest findings come about a month after the same researcher published three Microsoft Defender zero-days. One of those, BlueHammer, was assigned CVE-2026-33825 and patched last month, while the researcher said another issue was silently addressed without a public advisory.
WHY IT MATTERS
The disclosures add to a run of Windows security issues that can affect encryption protections and local privilege boundaries. For administrators, the findings reinforce the need to monitor patching, physical access controls and preboot authentication settings on devices that rely on BitLocker.