What Happened
A researcher going by the alias Nightmare-Eclipse published proof-of-concept exploit code on GitHub on May 12, 2026, for two unpatched Windows vulnerabilities named YellowKey and GreenPlasma.
YellowKey is a BitLocker bypass that works against drives protected with TPM-only mode — the default configuration on most consumer and enterprise Windows machines. The exploit fits on a USB stick. An attacker reboots the target system into the Windows Recovery Environment while holding the CTRL key, runs the exploit from the USB, and gains unrestricted shell access to the encrypted volume. The researcher states the same underlying flaw affects TPM+PIN configurations but has not published that variant. Both Windows 11 and Windows Server 2025 are affected.
GreenPlasma targets the Windows CTFMON service and enables local privilege escalation to SYSTEM via an arbitrary section creation weakness. The researcher withheld the final stage of the exploit, but the core logic is now public — a skilled attacker has enough to reconstruct a working SYSTEM shell.
Microsoft has not issued patches, advisories, or workaround guidance for either vulnerability as of May 13. YellowKey and GreenPlasma are the fourth and fifth unpatched Windows zero-days this researcher has released in 2026, following BlueHammer, RedSun, and two earlier disclosures.
Why This Matters for Canadian Organizations
BitLocker is the disk encryption standard for Windows devices across Canadian government, healthcare, financial services, and enterprise organizations. Encryption-at-rest is a core compliance control under PIPEDA, provincial health privacy laws, and the proposed Bill C-26 critical infrastructure protections. YellowKey undermines all of it — not through a remote attack, but through physical access, which is precisely the scenario disk encryption defends against.
The threat model is direct: a lost laptop, an unattended workstation, or a seized device from a border crossing becomes fully readable to anyone with a USB stick and this exploit. For organizations handling sensitive personal data, health records, or classified government information, this is a material encryption failure.
GreenPlasma compounds the risk. Combined with a phishing-delivered initial foothold, it gives an attacker a reliable path from user-level code execution to full SYSTEM control — disabling security tools, dumping credentials, and moving laterally without triggering most privilege-based detection logic.
Canada’s Communications Security Establishment (CSE) and provincial CISOs should treat this as an urgent advisory-level event. Organizations running Windows 11 or Windows Server 2025 without additional encryption controls beyond TPM-only BitLocker are exposed today.
What to Do
First, review BitLocker configurations across your fleet. Switching from TPM-only to TPM+PIN or TPM+USB key adds an authentication factor the YellowKey PoC does not address. Group Policy controls this at scale via Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
Second, enforce physical security controls for high-value endpoints. Disk encryption alone is not sufficient when a known bypass exists and no patch is available.
Third, monitor for CTFMON anomalies and unexpected section object creation. GreenPlasma relies on CTFMON manipulation — endpoint detection tools with memory artifact coverage should flag this behaviour pattern.
Fourth, subscribe to Microsoft Security Response Center advisories. A patch or out-of-band fix is likely but has no confirmed timeline. Monitor msrc.microsoft.com for updates.
Source: BleepingComputer
