Found two new Zero-days on BitLocker 🚨

There are reports of new vulnerabilities on Windows that are being watched in the security industry after an anonymous researcher using the name Nightmare-Eclipse or Chaotic Eclipse revealed two additional Zero-day vulnerability details: YellowKey and GreenPlasma, releasing the data shortly after Microsoft released an update around Patch Tuesday for May 2026.

.

The most common vulnerability is YellowKey, which is claimed to be a way to bypass the BitLocker encryption system without using the Recovery Key. If an attacker has access to the physical machine, it has to prepare a file for hacking the drive. Then boot the machine into Windows Recovery Environment or WinRE and follow the steps found by the researchers, it will be able to launch a highly eligible Command Prompt on the BitLocker-enabled machine.

.

The point of concern is that if a machine is stolen or lost, BitLocker will be like the last shield to protect local data because the data on the drive is encrypted. Without a password or Recovery Key, no one should be able to read it.

.

But if YellowKey is as practical as researchers claim, the stolen device may not be as secure as it should be, and may be explored much more easily, especially by corporate machines with important information, because if the data is leaked, it can lead to legal issues.

.

The Register quoted Rik Ferguson, Forescout's vice president of Security Intelligence, as saying that if this claim were true, stolen notebooks would not just be a hardware problem, but would immediately become a data problem, while Gavin Knapp of Bridewell saw that while this vulnerability relies on real machine access, it is still a big problem for organizations that rely on BitLocker to protect data.

.

Initially, there are suggestions that organizations may reduce the risk of YellowKey by setting up BitLocker to use the PIN in conjunction with the TPM, as well as setting the BIOS / UEFI password to prevent boot or changing the boot sequence without permission. However, they still have to wait for official moves and patches from Microsoft.

.

In addition to YellowKey, the same researchers also revealed GreenPlasma, a permissions vulnerability in Windows that can give attackers SYSTEM permissions. But The Register indicates that the released code is only partial, incomplete, and in its current state, a Windows UAC window has been bounced to warn users or admins.

.

However, experts warn that this vulnerability is often used after an attacker has hacked into the system to steal credentials and internal data and resume data that has been hacked into other machines in the network and end up releasing ransomware.

.

Source: The Register

# IT should know # IT News # IT News # IT