A security researcher operating under the aliases “Chaotic Eclipse” and “Nightmare Eclipse” has released a third set of Windows zero-day vulnerabilities, shortly after the latest Patch Tuesday. The disclosures continue a pattern, with the first two releases earlier this month targeting Windows Defender and allowing full SYSTEM access. This time, the exploits include a method to bypass BitLocker encryption and a separate privilege escalation vulnerability affecting standard Windows processes.
BitLocker Bypass Exploit: “Yellow Key”
The most notable exploit in this release has been named “Yellow Key.” According to the researcher, it bypasses BitLocker protection entirely. The exploit requires physical access to the target device: a USB containing the exploit must be inserted into a computer, followed by a reboot into the Windows Recovery Environment and a specific sequence of key presses. Successfully executing the steps reportedly opens a shell with unrestricted access to the encrypted volume.
The researcher suggests that the vulnerable component may have been intentionally included in the recovery environment, noting that a similar component exists in normal Windows installations without the exploit-triggering functionality. Only Windows 11, Windows Server 2022, and Windows Server 2025 are affected, while Windows 10 is reportedly unaffected.
Privilege Escalation Exploit: “GreenPlasma”
The second zero-day, called “GreenPlasma,” targets the CTFMON process, which runs as SYSTEM and manages text input functions. Analysis by a separate researcher indicates that the exploit manipulates Windows registry settings and permissions to gain control over a memory section trusted by the system. This allows shell code or fake libraries to be planted.
The released version is intentionally incomplete, leaving the final step for escalation as a challenge. The researcher frames it as a test for those capable of converting it into a full SYSTEM shell, highlighting the inherent trust some Windows services and drivers place in specific file paths.
Researcher’s Motivations and Warnings
The individual behind the exploits claims a personal grievance against Microsoft, alleging that the company left them “homeless with nothing.” In blog posts, they warn of further exploit releases if the company does not “resolve the situation responsibly” and hint at a “dead man switch” mechanism that could trigger automatically if ignored.
The researcher explicitly stated that additional exploits may involve other companies and indicated that upcoming releases could be more severe, framing these actions as a form of retaliation rather than technical experimentation alone.
Community Reactions
The exploits are publicly available on GitHub, though independent verification is limited. One threat researcher confirmed that the BitLocker bypass is functional, though execution is reportedly inconsistent. Discussions in the cybersecurity community reflect both curiosity and concern, particularly because the exploits appear to affect recent Windows versions and could expose sensitive data if misused.
Conclusion
The third wave of zero-days released by “Chaotic Eclipse” and “Nightmare Eclipse” continues a series of post-Patch Tuesday disclosures targeting Microsoft systems. The exploits raise questions about Windows security, especially for BitLocker users and administrators managing interactive sessions. The researcher has indicated that these releases will continue unless their demands are addressed, leaving affected systems in a potentially vulnerable state.
No comments yet — be the first.
Join the conversation
Log in to leave a comment