BitLocker Bypassed: New Zero-Day Trio Targets Windows Following Patch Tuesday

The security window provided by May 2026’s Patch Tuesday slammed shut just hours after the official updates were released. Between May 18 and May 20, the researcher known as Nightmare Eclipse (or Chaotic Eclipse) struck the Microsoft ecosystem again, disclosing technical details for three zero-day vulnerabilities dubbed YellowKey, GreenPlasma, and MiniPlasma. The most alarming exploit involves neutralizing BitLocker encryption through simple physical access and a specially configured USB device.

Nightmare Eclipse’s campaign has reached an unprecedented pace: a total of six zero-day vulnerabilities have been disclosed in the last six weeks, maintaining constant pressure on critical Windows components.

This disclosure strategy appears highly calculated to maximize system exposure. By publishing working exploits immediately following the monthly patching cycle, the researcher ensures these flaws remain without an official fix for nearly an entire month. This "window of impunity" leaves organizations in a precarious defensive position, forcing IT teams to rely on manual mitigations while awaiting a vendor response.

As of now, Microsoft has not released official advisories or patches for this latest trio of flaws. However, the industry remains on high alert: a previous vulnerability in this campaign, BlueHammer (CVE-2026-33825), has already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming that Nightmare Eclipse’s work has a direct and operational impact on global security.

YellowKey: A Structural BitLocker Bypass via USB

The YellowKey vulnerability represents a severe blow to the perceived security of "at rest" data on the Windows platform. According to analysis by LevelBlue experts, the flaw could allow an attacker with physical access and a USB device to neutralize BitLocker encryption, gaining unrestricted access to corporate laptops in a remarkably short timeframe. The technique requires no user credentials, no PIN knowledge, and does not require bypassing the Trusted Platform Module (TPM).

The technical mechanism exploits how NTFS transactional files (FsTx) are handled on external volumes during the boot process. An attacker can induce the system to enter the Windows Recovery Environment (WinRE) and, by manipulating files on a USB drive, force the encrypted volume to unlock automatically. This exposes the entire file system to read and write operations, effectively rendering BitLocker protections useless in scenarios involving lost or stolen devices.

The efficacy of YellowKey was confirmed by independent researcher Will Dormann, who successfully reproduced the attack. Dormann obtained an elevated command prompt with an unlocked disk instead of the standard recovery environment. This validation confirms that the flaw is no longer a theoretical hypothesis but a concrete risk for any machine subject to physical access.

GreenPlasma: Privilege Escalation via CTFMON

GreenPlasma focuses on local privilege escalation (LPE) by targeting the Collaborative Translation Framework (CTFMON). This process, which manages input methods and assistive technologies, contains a weakness in how arbitrary memory sections are created. A limited-privilege user could exploit this gap to create sections in directory objects typically writable only by the SYSTEM, facilitating unauthorized code execution.

While Nightmare Eclipse published a proof-of-concept, the researcher described it as technically incomplete regarding final attack automation. Unlike YellowKey, GreenPlasma requires more sophisticated manual intervention to be converted into a ready-to-use exploit. Nonetheless, the vulnerability remains critical because CTFMON is deeply integrated into Windows 10, 11, and Server versions, making the flaw difficult to mitigate without compromising system usability.

In a chained attack scenario, GreenPlasma could serve as a secondary stage: after gaining initial low-priority access via phishing or other vectors, an attacker would use this vulnerability to seize total control of a server or workstation, bypassing local security restrictions.

MiniPlasma: The Return of CVE-2020-17103

The MiniPlasma case raises troubling questions about Microsoft’s long-term patching efficacy. The vulnerability affects the Cloud Files Mini Filter driver (cldflt.sys) and is essentially a re-emergence of CVE-2020-17103, originally reported by Google Project Zero in 2020. Although Microsoft released a patch at the time, Nightmare Eclipse claims the original exploit still functions without modification on Windows 11 systems updated through May 2026.

"I am unsure if Microsoft never truly fixed the issue or if the patch was silently regressed at some point for unknown reasons," the researcher stated. Will Dormann partially corroborated this, demonstrating that the PoC yields a SYSTEM shell on stable, fully updated builds of Windows 11. However, one technical detail balances the threat: MiniPlasma does not appear to work on Insider Preview Canary builds, suggesting a mitigation may currently be under testing in experimental branches.

This persistent bug indicates a potential code regression or an incomplete implementation of the original fix. For enterprises, this suggests that monthly updates may not be sufficient to guarantee protection against threats known for years, necessitating an additional layer of behavioral monitoring for system drivers.

Mitigation and Defense Strategies

In the absence of official patches, organizations must adopt countermeasures focused on physical asset protection and system integrity monitoring. Priority should be given to neutralizing the USB vector, which is the most accessible path for exploitation.

• Physical Access Security: To mitigate YellowKey, it is essential to disable booting from external devices (USB/DVD) in BIOS/UEFI settings and protect firmware access with a robust password. Organizations should also monitor system logs for anomalous access to the WinRE environment.
• Driver Monitoring: Given the nature of MiniPlasma, system administrators should implement specific monitoring rules for the cldflt.sys driver. Suspicious crashes or code execution attempts associated with this component should be treated as potential privilege escalation attempts.
• BitLocker Auditing: Review BitLocker configurations via Group Policy. Implementing a pre-boot PIN in addition to TPM protection provides a critical layer of defense against physical access attacks that exploit the recovery environment.
• June Patch Tuesday Preparation: Given Nightmare Eclipse’s current momentum, IT teams should prepare for a potentially heavy update cycle next month, prioritizing tests for updates involving privilege management and the kernel.

Why It Matters

Analysis from Bruce Schneier and other industry experts highlights how vulnerabilities like YellowKey expose the structural limits of BitLocker when configured in TPM-only mode. Without a second authentication factor (such as a PIN), trust placed exclusively in hardware is fragile if an attacker can manipulate the boot environment. This proves that security is not a static product but a dynamic process requiring defense-in-depth.

Nightmare Eclipse’s string of discoveries calls into question the long-term reliability of legacy patches. If a 2020 bug can still grant SYSTEM privileges on a 2026 system, the trust model for centralized patching is weakened. Organizations must recognize that encryption alone is not an absolute guarantee if the surrounding environment can be easily manipulated.

The researcher’s promise of a "major surprise" for the June 2026 Patch Tuesday suggests this campaign is far from over. This highlights the urgent need for organizations to move from a reactive security stance to a proactive posture. Vendor transparency will be vital in the coming weeks; without new CVE assignments and detailed advisories, defenders remain vulnerable to public exploits capable of bypassing security pillars once thought to be inviolable.

The information in this article is based on data available as of May 20, 2026, and verifications performed by independent researchers. All details have been cross-referenced with cited sources and were current at the time of publication.

Sources

• https://www.darkreading.com/cyberattacks-data-breaches/windows-zero-day-barrage-continues-after-patch-tuesday
• https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html
• https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html
• https://www.schneier.com/blog/archives/2026/05/zero-day-exploit-against-windows-bitlocker.html
• https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/