{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreicux6rnti7cva75iepft6bzjom6l4badnl5dkpf3dsgnc5q5i6km4",
"uri": "at://did:plc:awj2q63kg2v3k5xwsjh2uoe3/app.bsky.feed.post/3mlwdke2twwf2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreia3s6d2vdof3q7dxuilprkhg64u5jlg3jc5qauy7vp4vi2ent4iqm"
},
"mimeType": "image/jpeg",
"size": 386911
},
"description": "An anonymous security researchers known as Nightmare-Eclipse has published two more Windows zero-day exploits, YellowKey and GreenPlasma, after already publishing 3 earlier this year.",
"path": "/news/2026/05/15/bitlocker-bypass-found-researcher-warns-of-more-unreleased-vulnerabilities/",
"publishedAt": "2026-05-15T22:03:03.000Z",
"site": "https://www.privacyguides.org",
"tags": [
"YellowKey",
"GreenPlasma",
"PIN",
"UnDefend",
"RedSun",
"unfixed"
],
"textContent": "An anonymous security researchers known as Nightmare-Eclipse has published two more Windows zero-day exploits, YellowKey and GreenPlasma, after already publishing 3 earlier this year.\n\nThe researcher didn't follow standard coordinated vulnerability disclosure procedures and instead published the vulnerabilities publicly on GitHub, a practice that leaves users open to being exploited while the software developers scramble to fix the issue.\n\nThe researcher describes YellowKey, a BitLocker bypass, as \"one of the most insane discoveries I ever found.\"\n\nThey go on to speculate that it \"almost feels like a **backdoor** but what do you know, maybe I'm just insane.\"\n\nThe vulnerability can be performed simply by copying a folder from the YellowKey GitHub onto either an external storage device or directly onto the EFI partition of the main drive.\n\nBoot into the Windows Recovery Environment Agent by holding Shift and clicking restart, holding CTRL as it boots up, and you will be presented with a shell that has \"unrestricted access to the bitlocker protected volume.\"\n\n> Now why would I say this is a **backdoor** ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why ? I just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.\n\nIt's bizarre that only more recent versions of Windows are affected.\n\nWhile the bug does require physical access to the machine, it's still quite alarming since BitLocker is primarily designed to protect against attackers with physical access to your computer.\n\nSupposedly, you can prevent the vulnerability by adding a PIN to your TPM instead of using BitLocker in TPM only mode.\n\nThe second vulnerability is a privilege escalation vulnerability, which they didn't release a full Proof-of-Concept for, leaving it as a \"huge challenge for CTF lovers out there.\"\n\nPreviously released exploits include UnDefend, a tool to stop Windows Defender from getting signature updates, and RedSun, another Windows Defender exploit.\n\n> When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges.\n\nThese exploits are still unfixed according to _The Register_.\n\nMake sure to keep your Windows machines updated and locked down as much as possible.",
"title": "BitLocker Bypass Found, Researcher Warns of More Unreleased Vulnerabilities",
"updatedAt": "2026-05-15T22:03:04.124Z"
}