Microsoft’s quiet Patch Tuesday did not stay quiet for long.
Soon after Microsoft released a May security update with no zero-days listed, an anonymous security researcher published proof-of-concept details for two unpatched Windows vulnerabilities. The bugs, dubbed YellowKey and GreenPlasma, could allow attackers to bypass BitLocker protections under specific recovery conditions or escalate local privileges to SYSTEM-level access.
The risks are different, but both point to the same problem for Windows users and IT teams: even a clean Patch Tuesday does not mean every serious bug has been closed.
Unearthing the YellowKey vulnerability
To fully grasp the severity of this vulnerability, let’s take a quick look at the Windows component it affects: BitLocker.
BitLocker is Microsoft’s default full-disk encryption system. While other third-party disk encryption solutions exist, BitLocker leverages Windows’ underlying cryptographic features to encrypt specific parts of Windows computers. It not only prevents unauthorized users from writing to a disk but also prevents them from reading its contents.
The feature is especially useful for users who handle sensitive locally stored data and helps prevent data access in the event of device theft or tampering.
Its encryption goes beyond read/write protections when the computer is running. BitLocker can rely on the Trusted Platform Module (TPM) chip to automatically unlock a device during boot. This effectively prevents a malicious user from loading the hard drive of an encrypted disk onto another computer.
However, researcher Chaotic Eclipse has found and disclosed a bug that can allow threat actors to bypass BitLocker protection by abusing Windows Recovery Environment (WinRE) and the Windows Recovery boot flow.
It works by inserting a USB stick with specially crafted files into a computer booted into WinRE. The malicious instruction triggers a special sequence that allows the threat actor to obtain a privileged command shell, which grants them access to the decrypted volume.
YellowKey’s success lies not in its ability to break Windows cryptography, but in its ability to circumvent it. The researcher called the vulnerability a “well hidden” one, saying that “it will take a while even for [Microsoft’s Security Response Center] to find the root cause of the issue.”
A privilege escalation vulnerability goes unnoticed
Microsoft’s May Patch Tuesday fixed 61 privilege elevation vulnerabilities — the highest in this month’s list of patched bugs. Given Chaotic Eclipse’s report, it appears Windows had more than 61.
Dubbed GreenPlasma, this vulnerability allows any user to elevate their privileges via a communication flaw inherent in the legitimate Windows process CTFMON.exe. CTFMON, or Collaborative Translation Framework, is a Windows process associated with text, keyboard, and general accessibility features, granting it broad SYSTEM-level privileges.
Chaotic Eclipse explains that this vulnerability stems from how Windows processes use shared memory. This is enabled by a Section Object — a block of shared memory between different Windows processes managed by the Object Manager.
Because CTFMON.exe is a SYSTEM process, it runs on elevated trust by default. However, it has a problem that allows hacker smulgge malicious commands inside it. That command instructs it to spin up a new shared memory block in a zone standard users can’t write to, an action only a highly privileged process with SYSTEM-level access can do.
The researcher, however, didn’t drop the entire Proof of Concept (PoC), omitting parts that explain how attackers can proceed.
Even with what has been published, we can already see how dangerous this is. The researcher demonstrated that a standard user with malicious intent can place a piece of memory in protected locations shared by other high-level kernels and processes. That allows an attacker to indirectly gain elevated privileges, effectively enabling them to do the following, and more:
- Disable security tools
- Dump credentials
- Install malware
- Create persistence
- Move laterally
- Manipulate security policies
Must-read security coverage
Who are those affected, and what is the way forward
Technically, anyone with a Windows computer can be affected by GreenPlasma. But, since attackers need to be within a system to elevate privileges, users can stay safe by adhering to security measures on phishing, enabling Microsoft Defender, and generally being careful with unofficial websites.
The Hacker News reports that users of Windows 11 and Windows Server 2022/2025 are at risk of the YellowKey bug.
While there is currently no fix for these, the publication advises users to enable pre-boot authentication with a BootLoader PIN at startup. Since YellowKey requires physical access to the device, Windows users should be careful about how they carry their computers and where they leave them.
Related reading: For a deeper look at connected-device risks, read our coverage of how Meari IoT flaws exposed more than 1 million baby monitors and security cameras.
Read the full article here
