Overview
- Chaotic Eclipse, also known as Nightmare‑Eclipse, published two Windows exploits Wednesday targeting BitLocker protection and a route to System privileges.
- YellowKey places crafted FsTx files on a USB drive or EFI partition to influence Windows Recovery so it spawns a command prompt with the encrypted drive unlocked, putting stolen laptops and shared PCs at highest risk.
- Researchers Kevin Beaumont and Will Dormann reproduced the behavior and traced it to NTFS transaction replay deleting the winpeshl.ini file in WinRE, which replaces the recovery menu with cmd.exe.
- A TPM‑only setup is vulnerable, and experts recommend a BitLocker startup PIN, a BIOS or UEFI password, and blocking USB or external boot while awaiting fixes.
- Microsoft says it is investigating with no patches yet, and analysts warn the incomplete GreenPlasma CTFMON flaw could be weaponized as seen with the researcher’s earlier April leaks.