Windows Zero-Day Exploits: YellowKey and GreenPlasma Released

The cybersecurity landscape has been rocked by a calculated and devastating disclosure. On May 13, 2026, just 24 hours after Microsoft’s scheduled Patch Tuesday, a threat researcher operating under the dual aliases “Chaotic Eclipse” and “Nightmare Eclipse” released functional Proof-of-Concept (PoC) code for two catastrophic Windows Zero-Day Exploits. These vulnerabilities, identified as YellowKey and GreenPlasma, represent a strategic strike against the Windows ecosystem, specifically targeting the core of disk encryption and the fundamental Text Services Framework.

The timing of this release is not coincidental. By waiting until the monthly security update cycle was finalized, the researcher has initiated what industry insiders are calling “Exploit Wednesday.” This maneuver ensures that organizations will remain vulnerable for at least 27 days—the window before the next official patch cycle—unless Microsoft issues an emergency out-of-band (OOB) fix. Security analysts from Bridewell have already confirmed that these Windows Zero-Day Exploits are being weaponized in the wild, targeting high-value corporate workstations and critical infrastructure control systems.

YellowKey: The Architecture of the BitLocker Bypass

The first of the two exploits, YellowKey, is a sophisticated bypass of BitLocker Full-Disk Encryption (FDE). For years, BitLocker has been the gold standard for securing data at rest in enterprise environments, relying on a combination of the Trusted Platform Module (TPM) and Secure Boot to maintain a “Chain of Trust.” YellowKey shatters this chain by exploiting a systemic flaw in how modern Windows versions handle “path trust” during the recovery process.

The “Path Trust” Logic Flaw

At its core, YellowKey targets the Windows Recovery Environment (WinRE) and the handoff between the bootloader and the kernel. When a system enters a recovery state—either due to a failed boot or manual intervention—the operating system must determine if the recovery path is “trusted.” YellowKey identifies a vulnerability where the OS fails to validate the integrity of the specific environment variables that define the path to the recovery key handlers. By manipulating these variables, an attacker with physical access or a local foothold can force the system to accept a spoofed “trusted” path that resides in an unencrypted memory segment.

Technical analysis reveals the following critical stages of the YellowKey exploit:

• Interception: The exploit intercepts the communication between the OS and the TPM (Trusted Platform Module) during the pre-boot phase.
• Environment Injection: It injects a rogue path into the BCD (Boot Configuration Data) store, redirecting the recovery authentication to a malicious library.
• Key Extraction: Because the system believes it is in a validated recovery state, it releases the BitLocker Full Volume Encryption Key (FVEK) into volatile memory without requiring the user’s recovery password.

The implication for mobile workers and high-security laptop fleets is severe. YellowKey effectively renders hardware-level encryption moot if an adversary can gain even brief physical access to the device. This is particularly concerning for corporate espionage and state-sponsored data theft.

GreenPlasma: Escalating Privilege via CTFMON

While YellowKey targets data at rest, GreenPlasma focuses on total system compromise. This exploit targets the Windows Text Services Framework (TSF), specifically the long-standing and often overlooked ctfmon.exe process. GreenPlasma is a Privilege Escalation (EoP) exploit that allows a standard, unprivileged user to elevate their permissions to SYSTEM level—the highest level of authority on a Windows machine.

The Arbitrary Section Creation Flaw

The vulnerability within ctfmon.exe involves an arbitrary section creation flaw. The Text Services Framework is responsible for handling input methods, keyboard layouts, and speech recognition. To do this, it communicates across different security boundaries using ALPC (Advanced Local Procedure Call) mechanisms. GreenPlasma exploits a logic error in how ctfmon.exe creates and manages shared memory sections.

An attacker can send a specially crafted ALPC message to the MSCTF server (the backend of CTFMON), requesting the creation of a new memory section. Due to a lack of proper security descriptor validation, the server creates this section with “Full Control” permissions for the unprivileged requester, but allocates it within the memory space of a privileged system process. By writing malicious shellcode into this shared section, the attacker can hijack the execution flow of a high-privilege service.

GreenPlasma Technical Characteristics:

1. Bypass of UIPI: The exploit successfully bypasses User Interface Privilege Isolation (UIPI) by leveraging the cross-session nature of the TSF.
2. Memory Injection: It utilizes a technique known as “Section Map Hijacking” to inject code without triggering traditional API hooks used by standard antivirus software.
3. Persistence: Once SYSTEM-level access is achieved, the exploit can be used to disable security agents, install rootkits, or exfiltrate sensitive credentials from the LSASS (Local Security Authority Subsystem Service) memory.

The Strategic Danger of “Exploit Wednesday”

The release of these Windows Zero-Day Exploits on the day following Patch Tuesday represents a shift in threat actor psychology. Historically, researchers would report flaws to Microsoft’s MSRC (Microsoft Security Response Center) to receive a bounty and wait for a patch. However, “Chaotic Eclipse” has opted for public “Full Disclosure,” citing a desire to force the industry into a more proactive security posture. This leaves IT departments in a precarious “Patch Gap.”

Systems updated with the May 2026 patches remain fully vulnerable to YellowKey and GreenPlasma. Because the vulnerabilities are Zero-Days, there are currently no CVE (Common Vulnerabilities and Exposures) identifiers or official registry-level fixes. For the enterprise, this means that even a “fully patched” system is currently wide open to these specific attack vectors.

Impact on Global Security Operations

Security firms like Bridewell and Mandiant have reported that automated scanning tools are already being updated by various threat groups to look for the specific signatures of the GreenPlasma exploit. The “in-the-wild” activity is characterized by a “low and slow” approach, where attackers use GreenPlasma to move laterally within a network after gaining an initial foothold through phishing. By the time an organization realizes they have been breached, the attacker has already used the elevated privileges to compromise the Active Directory (AD) environment.

Defensive Posture and Technical Mitigations

In the absence of an official Microsoft patch, Security Operations Centers (SOCs) and System Administrators must take immediate, manual steps to mitigate the risk posed by these Windows Zero-Day Exploits. The following recommendations are based on technical analysis of the PoC code released by the researcher.

1. Hardening CTFMON and TSF

Monitoring ctfmon.exe is critical. Under normal circumstances, ctfmon.exe should not be spawning child processes like cmd.exe, powershell.exe, or bitsadmin.exe.

• EDR Rule: Implement a rule to alert on and block any child process originating from ctfmon.exe.
• Memory Integrity: Ensure HVCI (Hypervisor-Protected Code Integrity) is enabled on all compatible Windows 11 devices, as this can impede the memory injection techniques used by GreenPlasma.

2. Physical Security and BitLocker Protections

Since YellowKey requires local or physical access to manipulate the recovery path, physical security is the first line of defense.

• TPM + PIN: Enforce a TPM + PIN authentication requirement for BitLocker. This adds an additional layer of protection that YellowKey cannot easily bypass, as the key will not be released by the TPM until the PIN is entered.
• Disable WinRE: For high-risk workstations, consider temporarily disabling the Windows Recovery Environment (reagentc /disable) to remove the primary attack surface for YellowKey.

3. Advanced EDR Tuning

The GreenPlasma PoC relies on arbitrary section creation. EDR tools should be tuned to monitor for specific Windows API calls associated with this behavior:

• NtCreateSection: Watch for unusual section names or sections created without a backing file.
• NtMapViewOfSection: Monitor for processes mapping sections into the address space of unrelated, higher-privilege processes.

The Evolution of the Zero-Day Market

The emergence of YellowKey and GreenPlasma highlights a growing trend in 2026: the commoditization of high-end exploits. The researcher “Chaotic Eclipse” has essentially bypassed the traditional bug bounty economy, choosing instead to disrupt the patch management cycles of the world’s largest organizations. This act of “cyber-anarchy” forces a re-evaluation of how we trust operating system components that have existed for decades, such as the Text Services Framework.

As Windows Zero-Day Exploits become more targeted and the disclosure methods more aggressive, the burden of security shifts from the vendor to the practitioner. The 24-hour window between disclosure and active exploitation observed with GreenPlasma is a stark reminder that the “dwell time” of a vulnerability is shrinking. Organizations can no longer afford to wait for the next Patch Tuesday to secure their perimeters.

Final Assessment: A Call for Zero-Trust Architecture

The dual threat of YellowKey and GreenPlasma serves as a powerful argument for a Zero-Trust Architecture. If we assume that the OS kernel can be compromised through privilege escalation (GreenPlasma) and that physical disk encryption can be bypassed (YellowKey), the only remaining defense is identity-centric security and data-level encryption.

Relying solely on the operating system’s built-in protections is no longer sufficient. Organizations must adopt a posture where access to data is governed by continuous authentication and where sensitive files are encrypted independently of the disk they reside on. Until Microsoft issues a comprehensive fix for these Windows Zero-Day Exploits, the digital gates are effectively open to any adversary with the technical skill to execute the “Eclipse” PoCs. Vigilance, proactive monitoring, and a rapid response strategy are the only viable shields in the current “Exploit Wednesday” era.