BitLocker Zero-Day: USB-Based Exploit Bypasses Disk Encryption via WinRE

On May 13, 2026, security researcher Chaotic Eclipse (also known as Nightmare Eclipse) released proof-of-concept (PoC) code for two unpatched Windows zero-days. The primary threat, dubbed YellowKey, bypasses BitLocker encryption by exploiting the Windows Recovery Environment (WinRE) using a specially crafted USB drive. The second, GreenPlasma, is a work-in-progress local privilege escalation (LPE) vulnerability targeting CTFMON.

The release of functional exploit code significantly lowers the barrier for physical attacks, putting organizations relying on BitLocker in "TPM-only" mode at immediate risk. Because the encrypted volume remains unlocked during the WinRE boot process, the vulnerability provides a direct path to sensitive data. Ongoing uncertainty regarding a potential "dead man’s switch" and future disclosures further complicates the threat landscape.

Anatomy of YellowKey: Deceiving the WinRE Filesystem

Chaotic Eclipse’s YellowKey PoC demonstrates a BitLocker bypass that requires no passwords or recovery keys—only physical access to insert a prepared USB device and reboot the machine. During boot, WinRE scans connected drives for FsTx directories. When detected, the environment replays NTFS logs in a manner that causes the deletion of X:\Windows\System32\winpeshl.ini.

Once winpeshl.ini is removed, WinRE fails to launch its standard recovery tools and instead drops the user directly into a cmd.exe prompt. Because the disk is already decrypted via auto-unlock, the shell provides unrestricted access to the volume's data. Will Dormann of Tharros Labs independently verified the USB vector, confirming the disk remains unlocked at the command prompt. Researcher KevTheHermit also confirmed the exploit's efficacy, though noting that the timing—specifically holding the CTRL key during the USB boot—can be finicky and may require multiple attempts.

While the researcher mentioned an alternative vector involving an EFI partition, Dormann was unable to replicate that specific variation. Consequently, the USB-based attack remains the primary documented and repeatable threat.

"The result of this is that the X:\Windows\System32\winpeshl.ini is deleted, and when Windows Recovery is entered, rather than launching the actual Windows Recovery environment, it pops up a CMD.EXE. With the disk still unlocked" — Will Dormann (Tharros Labs)

Vulnerable Versions and the Windows 10 Exclusion

According to Chaotic Eclipse, YellowKey impacts Windows 11, Windows Server 2022, and Windows Server 2025. Interestingly, the researcher has stated that Windows 10 is not vulnerable, though the specific architectural differences preventing the exploit on the older OS were not detailed.

This concentrates the risk on modern environments, particularly enterprise servers and workstations that rely on BitLocker with TPM-only configurations. While Windows 10 is currently listed as unaffected, security teams should remain cautious until technical analysis definitively rules out similar bypass techniques on that platform.

TPM+PIN: Effective Mitigation or Temporary Hurdle?

A significant point of contention involves the effectiveness of TPM+PIN configurations against YellowKey. Will Dormann maintains that the current PoC exploits the volume's auto-unlock feature and, therefore, cannot proceed if a TPM-mandated PIN is required. In this view, the PIN acts as a hard barrier to the public version of the attack.

The researcher, however, disputes this assessment. Chaotic Eclipse stated: "No, TPM+PIN does not help, the issue is still exploitable regardless... can it still work in a TPM+PIN environment? Yes it does, I'm just not publishing the PoC."

This claim remains unverified as no public code demonstrating a TPM+PIN bypass exists. This creates a gap in risk assessment: while organizations can implement a PIN as a likely mitigation, they cannot treat it as an absolute defense. Until independent verification or a code release occurs, the utility of a PIN against this zero-day remains a subject of debate.

GreenPlasma: Incomplete LPE via CTFMON

Alongside YellowKey, Chaotic Eclipse disclosed GreenPlasma, a local privilege escalation vulnerability. The technique targets ctfmon.exe—which runs with SYSTEM privileges—to create arbitrary memory sections within directory objects writable by the system.

Analyst Het Mehta reviewed the attack chain, describing a sequence of registry and permission rule manipulations used to influence trusted memory from an unprivileged user process. While the theory is sound, the PoC released on May 13, 2026, is incomplete. It lacks the final stage necessary to spawn a SYSTEM shell, rendering it more of a technical demonstration than a weaponized exploit.

The researcher presented GreenPlasma as a "CTF challenge," inviting the security community to complete the final exploit stage. Currently, the threat is limited to local interactive sessions with no evidence of active exploitation in the wild.

Security Recommendations

• Transition from TPM-only to TPM+PIN on Windows 11 and Server 2022/2025 systems. While the researcher claims a bypass exists, verified testing shows the current PoC is stopped by a PIN requirement.
• Strictly enforce physical security of endpoints and restrict the ability to boot from external USB devices in the BIOS/UEFI.
• Conduct an immediate audit of BitLocker configurations to identify volumes in TPM-only mode, prioritizing workstations and servers in physically accessible locations.
• Monitor official Microsoft security advisories and the researcher’s disclosures for potential patches or updates regarding the rumored "dead man’s switch."

The release of YellowKey underscores that the Windows security perimeter extends beyond the active OS. The WinRE environment represents a powerful and often overlooked attack surface. Until Microsoft issues a verified patch, risk assessments must be treated as provisional. Furthermore, the decision to release a zero-day PoC—even an incomplete one like GreenPlasma—highlights how public disclosure can accelerate pressure on vendors at the cost of immediate user exposure.

Frequently Asked Questions

Does YellowKey require a BitLocker password or recovery key?

No. The exploit bypasses the need for credentials by leveraging the auto-unlock mechanism in WinRE, accessing the volume while it is still in an unlocked state.

Is Windows 10 exposed to this attack?

The researcher states that Windows 10 is not vulnerable to YellowKey. However, no technical evidence has been provided to support this exclusion, and it has not been independently verified.

Can GreenPlasma be exploited remotely?

No. Both YellowKey and GreenPlasma require local access. YellowKey requires physical access for a USB boot, while GreenPlasma requires an active local interactive session.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
• https://cybernews.com/security/researcher-releases-bitlocker-bypass-and-privilege-escalation-exploit/