Two new zero-day exploits, 'YellowKey' and 'GreenPlasma,' affecting Microsoft Windows, were publicly disclosed on May 13, 2026, by a researcher using the aliases 'Chaotic Eclipse' and 'Nightmare Eclipse.' Attackers rapidly exploited both vulnerabilities within 24 hours of their public release, as confirmed by The Hacker News. This uncoordinated disclosure, timed with Microsoft's Patch Tuesday without corresponding fixes, exposes Windows environments globally.
What Happened
On May 13, 2026, the cybersecurity researcher known as 'Chaotic Eclipse' and 'Nightmare Eclipse' publicly released details for two new zero-day exploits impacting Microsoft Windows: 'YellowKey' and 'GreenPlasma,' as reported by Forbes. This disclosure coincided with Microsoft's May Patch Tuesday. Microsoft did not include patches for either vulnerability in that release, leaving systems exposed. Within a single day, both exploits were confirmed by The Hacker News to be actively used in real-world attacks.
This incident follows the same researcher's public disclosure of three other Microsoft Defender zero-days—'BlueHammer,' 'RedSun,' and 'UnDefend'—in April. 'BlueHammer' was assigned CVE-2026-33825 and subsequently patched. Microsoft reportedly silently addressed 'RedSun'; however, Microsoft has not confirmed this. The researcher's repeated actions stem from reported dissatisfaction with Microsoft's vulnerability disclosure process, publicly accusing the Microsoft Security Response Center of inadequate response times and transparency, according to Forbes. The researcher has explicitly threatened to continue releasing zero-days with future Patch Tuesday updates if their concerns are not met.
Why It Matters
The immediate, confirmed active exploitation of 'YellowKey' and 'GreenPlasma' means security teams must respond quickly. 'YellowKey' specifically targets Windows BitLocker encryption, a fundamental data protection control for millions of devices running Windows 11 and Windows Server 2022/2025. A successful bypass exposes all data on a BitLocker-protected system, regardless of whether TPM+PIN configurations are in place, a situation that has been confirmed in active attacks.
'GreenPlasma' enables privilege escalation through the Windows Collaborative Translation Framework (CTFMON), allowing attackers to gain elevated access on affected systems. This provides a direct path to accessing sensitive documents, stealing credentials (potentially leading to further compromise of identity management tools like Bitwarden or 1Password if not carefully secured), and facilitating lateral movement or the deployment of additional malware. When an attacker can escalate privileges, they control the compromised system. The widespread deployment of Microsoft Windows ensures a massive attack surface, putting individuals and organizations, from small businesses to large enterprises, at significant and immediate risk. Patch systems immediately or prepare for potential data loss and system compromise.
Technical Breakdown
YellowKey operates as a sophisticated BitLocker encryption bypass. The exploit involves preparing specially crafted 'FsTx' files, typically on a USB drive or by planting them directly onto the EFI partition of the target system. When this USB is plugged into a BitLocker-protected Windows computer, the attacker reboots the machine into the Windows Recovery Environment (WinRE). During the WinRE boot process, holding down the CTRL key can trigger a shell. This shell execution occurs with sufficient privileges to bypass BitLocker encryption entirely, even when hardware-backed TPM and PIN configurations are enabled. This direct access to the system's underlying filesystem completely subverts the confidentiality controls BitLocker is designed to enforce.
GreenPlasma targets the Windows Collaborative Translation Framework (CTFMON), a legitimate component of the Windows operating system often used for input methods and language support. This vulnerability allows for arbitrary section creation, which can be manipulated to achieve privilege escalation. While specific CVE details, CVSS scores, and an exhaustive list of affected versions beyond a general description were not immediately available in the initial public disclosure, the core mechanism involves exploiting how CTFMON handles memory sections to elevate an attacker's process privileges from a low-level user to SYSTEM or Administrator. This gives an attacker complete control over the compromised system.
Mapping these attacks to the MITRE ATT&CK framework:
- For YellowKey, the use of a USB drive or manipulation of the EFI partition to deliver the payload and trigger the WinRE shell aligns with T1091 Replication Through Removable Media. Gaining access to the system's data and potentially bypassing logon mechanisms also relates to privilege escalation and credential access.
- For GreenPlasma, the ability to gain higher privileges on a system via a vulnerability in CTFMON is a direct application of T1068 Exploitation for Privilege Escalation.
From a NIST SP 800-53 perspective, the implications are clear:
- Microsoft's failure to patch these known vulnerabilities before public disclosure challenges SI-2 Flaw Remediation, emphasizing the need for timely and effective patching.
- The privilege escalation enabled by 'GreenPlasma' directly challenges AC-6 Least Privilege, which mandates that users and processes operate with the minimum necessary access rights. Compromising this control allows attackers to bypass security boundaries.
- Organizations using CrowdStrike Falcon or SentinelOne EDR platforms should monitor for unusual WinRE access patterns, unexplained process creations, or attempts to modify EFI partitions as potential indicators of compromise for these specific exploits.
Historical Context
This situation mirrors the 'Dirty Frag' Linux zero-day (also known as Fragnesia LPE), which emerged earlier in 2026. In that incident, a Linux privilege escalation vulnerability was publicly disclosed by a researcher frustrated with what they perceived as slow vendor response times. Much like 'YellowKey' and 'GreenPlasma,' the immediate public release of 'Dirty Frag' led to rapid, active exploitation in the wild, leaving Linux system administrators scrambling to implement workarounds or custom patches before official vendor fixes became available. Both cases underscore a recurring problem: when researchers feel ignored or undervalued in responsible disclosure processes, the risk of full, uncoordinated disclosure—and subsequent rapid exploitation—rises significantly. The immediate impact is always active attacks before patches are available.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Zero-Day Names | YellowKey, GreenPlasma | The Hacker News |
| Disclosure Date | May 13, 2026 | Forbes |
| Exploitation Observed Within | 24 hours | The Hacker News |
| Researcher-Disclosed Zero-Days | 5 (since April 2026) | Forbes |
| YellowKey Affected Versions | Windows 11, Windows Server 2022/2025 | The Hacker News |
| GreenPlasma Impact | Privilege Escalation | The Hacker News |
The CVEDaily Take
These 'YellowKey' and 'GreenPlasma' incidents highlight that relying solely on Microsoft's Patch Tuesday for remediation is insufficient, especially when faced with a researcher who has publicly threatened further disclosures. We think Microsoft is understating the human element here, as the researcher's continued public disclosures indicate a fundamental breakdown in their vulnerability handling process. This is not merely about a disgruntled individual, but about a vendor's ability to maintain trust and control over its ecosystem. Organizations must have robust vulnerability management and monitoring capabilities to detect and respond to zero-day threats before vendor patches arrive. How are organizations planning to address the threat of potential future unpatched zero-days from this researcher given Microsoft's current response?
FAQ
Q: What versions of Windows are affected by 'YellowKey'?
A: 'YellowKey' primarily affects Windows 11 and Windows Server 2022/2025 systems that rely on BitLocker for encryption.
Q: Can TPM+PIN configurations protect against the 'YellowKey' exploit?
A: No, the 'YellowKey' BitLocker bypass is specifically designed to circumvent even TPM+PIN configurations by exploiting the Windows Recovery Environment (WinRE) shell, as confirmed by observed exploitation.
Q: Has Microsoft released patches for 'YellowKey' and 'GreenPlasma'?
A: As of the May 13, 2026 Patch Tuesday, Microsoft had not included patches for these specific zero-days, meaning they remained unaddressed by official vendor fixes at the time of their public disclosure and confirmed active exploitation.
