New Windows Zero-Days Target WinRE BitLocker Bypass and SYSTEM Privilege Escalation

Researchers Chaotic Eclipse and Nightmare-Eclipse disclosed two Windows zero-days: YellowKey, a BitLocker bypass in Windows Recovery Environment via specially crafted FsTx files on USB or the EFI partition, and GreenPlasma, a privilege-escalation flaw tied to Windows CTFMON that could let an unprivileged user create arbitrary memory sections and potentially control privileged services. A separate BitLocker downgrade chain described by Intrinsec (CVE-2025-48804) could defeat encryption on fully patched systems with physical access by boot-image tampering. Mitigations include enabling BitLocker startup PIN, migrating the boot manager to CA 2023 certificates, and revoking PCA 2011 certificates as older certificates are retired; Microsoft notes coordinated vulnerability disclosure and upcoming Patch Tuesday updates in June 2026.