The Same Researcher. Again.

If the name Chaotic Eclipse — also known as Nightmare-Eclipse on GitHub — sounds familiar, it should. This is the same researcher who publicly released BlueHammer (CVE-2026-33825) and RedSun, two local privilege escalation zero-days for Linux, both of which were exploited in the wild within days of publication.

Now they're back. This time targeting Windows.

On May 13, 2026, according to BleepingComputer, Chaotic Eclipse dropped proof-of-concept exploits for two new unpatched Windows vulnerabilities: YellowKey (a BitLocker bypass) and GreenPlasma (a privilege escalation flaw targeting Windows CTFMON). Microsoft has issued NO patch. No CVE assigned. No timeline.

What YellowKey Actually Does

BitLocker is Microsoft's full-volume encryption. It's mandatory for contractors working with the U.S. government. The entire point is that without the decryption key, your data is a brick.

YellowKey makes that guarantee worthless — at least on default configurations.

Here's the attack chain, as documented by Ars Technica: copy a specially crafted FsTx folder to a USB drive, plug it into a BitLocker-protected Windows 11 machine, boot into Windows Recovery Environment (WinRE), hold down Ctrl, and you get a full command-line shell with unrestricted access to the encrypted drive. No recovery key required. No credentials. Nothing.

It works on Windows 11 and Windows Server 2022/2025, according to The Hacker News.

Independent Researchers Confirmed It Works

Two well-known independent security researchers verified the exploit personally.

Kevin Beaumont confirmed YellowKey is valid and called BitLocker's design a backdoor. Will Dormann reproduced it with a USB drive attached and posted his findings on Mastodon. Dormann's technical breakdown reveals a critical detail: the FsTx directory on one volume appears to have the ability to modify the contents of a completely separate volume when replayed. That's not just a BitLocker bug. That's a fundamental filesystem isolation failure in Transactional NTFS. The BitLocker bypass may be the headline, but the cross-volume manipulation points to a deeper structural problem.

TPM+PIN Doesn't Save You — But The Worst Exploit Isn't Published Yet

Chaotic Eclipse says the exploit works even when TPM+PIN protection is enabled — which is the more secure BitLocker configuration that security professionals specifically recommend.

They have NOT released that version of the exploit. According to BleepingComputer, the researcher stated: "No, TPM+PIN does not help, the issue is still exploitable regardless. I asked myself this question, can it still work in a TPM+PIN environment? Yes it does. I'm just not publishing the PoC."

The public exploit breaks default BitLocker. The unpublished version reportedly breaks hardened BitLocker. Two very different threat levels — and the second one is sitting in this researcher's back pocket.

GreenPlasma: The Second Problem Nobody's Talking About

YellowKey is getting all the attention. GreenPlasma is getting almost none.

GreenPlasma targets Windows CTFMON — the Collaborative Translation Framework — and enables privilege escalation to SYSTEM-level permissions, according to The Hacker News. The current PoC is incomplete: it doesn't yet deliver a full SYSTEM shell. But what it does do is allow an unprivileged user to create arbitrary memory section objects in directories that SYSTEM-level processes trust.

That's a foothold. And a researcher who already has the completed version of the TPM+PIN BitLocker exploit probably has the completed GreenPlasma exploit too.

Why Is This Researcher Dropping Exploits Instead of Reporting Them?

Chaotic Eclipse has been explicit: this is retaliation. According to BleepingComputer, the researcher's decision to publicly disclose all of these vulnerabilities — YellowKey, GreenPlasma, and the earlier Linux zero-days — stems from frustration with Microsoft's bug handling process.

The researcher told BleepingComputer they intend to keep leaking exploits for undocumented Windows vulnerabilities and promised "a big surprise" for the next Patch Tuesday.

Microsoft's failure to engage properly with this researcher's earlier reports has now produced a cascade of public zero-days across both Linux and Windows.

What Microsoft Has Said

Nothing of substance. No patch. No CVE. No public acknowledgment of the root cause.

The researcher themselves noted: "I think it will take a while even for MSRC [Microsoft Security Response Center] to find the real root cause of the issue."

What You Should Do Right Now

Kevin Beaumont recommended two mitigations: set a BitLocker PIN AND set a BIOS password. That won't stop the TPM+PIN version if and when the full exploit drops — but it raises the bar significantly above default configuration.

If your organization has government contracts and relies on BitLocker for compliance, contact your IT security team immediately. Default BitLocker configurations on Windows 11 and Server 2022/2025 are currently bypassable by anyone with physical access to the machine.

The researcher already promised more is coming. Microsoft hasn't fixed the last batch. Plan accordingly.