Overview
- Chaotic Eclipse released two unpatched Windows proofs of concept dubbed YellowKey and GreenPlasma, targeting disk encryption and privilege escalation.
- Independent tests by Kevin Beaumont, Will Dormann, and Tom’s Hardware verified YellowKey, which uses special FsTx files to hijack the Windows Recovery Environment and open a command shell.
- Dormann explained the method relies on NTFS log replay in WinRE to remove winpeshl.ini, causing a shell to launch while the BitLocker‑protected disk stays unlocked.
- The published exploit works on TPM‑only BitLocker on Windows 11 and Windows Server 2022/2025 and requires the original device, with researchers urging a BitLocker PIN, a BIOS password, and restricted USB or external boot as stopgaps.
- Microsoft said it is investigating and will update affected devices, while GreenPlasma’s partial code lacks a reliable SYSTEM shell yet could be extended, and Forbes reported early use of the new exploits in active attacks.