Researchers Uncover YellowKey and GreenPlasma Windows Zero-Days

The latest disclosures from independent researcher Chaotic Eclipse highlight a troubling trend: critical Windows components are being weaponized in ways that bypass foundational security layers. YellowKey exploits a hidden component inside the Windows Recovery Environment, allowing an adversary with a compromised USB device to sidestep BitLocker encryption and spawn a privileged shell. Meanwhile, GreenPlasma manipulates the CTFMON translation framework to create arbitrary memory sections, a technique that can elevate a low‑privilege account to SYSTEM. Both vulnerabilities affect Windows 11 and the newest Server releases, underscoring that even the most recent OS builds are not immune to deep‑rooted flaws.

From a threat‑actor perspective, the requirement for physical or local access does not diminish the risk. Supply‑chain attacks, insider threats, or malicious insiders can easily plant malicious media or exploit trusted paths on compromised machines. Huntress has already observed exploitation of related flaws disclosed earlier this year, suggesting that public exploit code can quickly translate into active campaigns. Enterprises that rely on BitLocker for data‑at‑rest protection or trust CTFMON for system services must reassess their attack surface, especially in environments with high‑value assets or regulated data.

Microsoft’s response so far has been limited to patching the earlier BlueHammer vulnerability, leaving YellowKey and GreenPlasma open. Organizations should prioritize immediate mitigations: enforce strict USB device controls, disable WinRE when not needed, and monitor for anomalous activity in the System Volume Information\FsTx directory. Deploying endpoint detection and response tools that can flag unusual privilege‑escalation attempts is also critical. The disclosures serve as a reminder that Windows security must be layered, with both preventive controls and rapid incident‑response capabilities to address zero‑day threats before official patches are released.