(Image: heise online / dmk). The IT researcher behind the “NightmareEclipse” project reveals new flaws: “YellowKey” in BitLocker and privilege escalation with “MiniPlasma”.. The IT security researcher who previously demonstrated the vulnerabilities “RedSun”, “UnDefend” and “BlueHammer” [1] is continuing to publish further Windows security flaws. “NightmareEclipse” (GitHub) or “Chaotic Eclipse” (Blogspot) has discovered “YellowKey”, a critical security flaw in Windows BitLocker drive encryption. Additionally, he has uncovered another privilege escalation vulnerability “MiniPlasma” in a Windows driver.. In the “Windows Cloud Files Mini Filter”, Microsoft had already attempted to patch a privilege escalation flaw in 2020 [2] (CVE-2020-17103, CVSS 7.0, risk “high”). It is unclear whether the patch was ever withdrawn or simply not distributed by Microsoft. In any case, the vulnerability – which Google’s Project Zero reported at the time [3] – remains exploitable. The Proof-of-Concept exploit (PoC) on GitHub [4] is intended to demonstrate how attackers can obtain SYSTEM privileges, and according to reports, Google’s older PoC also still works.. Unlocking BitLocker arbitrarily with local access. The “YellowKey” vulnerability in BitLocker causes somewhat greater concern. Like the recently disclosed attack based on BitUnlocker [5], local access is required. However, a simple USB stick is sufficient for this. Attackers copy the folder “System Volume InformationFsTx” to it. The file system must be compatible with Windows, such as FAT, FAT32, exFAT or NTFS. This stick is then plugged into a computer with BitLocker enabled. By holding the Shift key during startup, the system must boot into the Windows Recovery Environment. Attackers then click on Restart and, instead of holding the Shift key, now press the Ctrl key. This launches a shell with unrestricted access to the drive actually protected by BitLocker. This is said to work on Windows 11 and Server 2022 as well as 2025; the Windows Recovery Environment of Windows 10 is not affected. What helps with BitUnlocker-derived attacks – an environment that relies on PIN entry before decryption and TPM protection – appears to be ineffective here, writes *Eclipse in a blog post [6].. IT security expert Will Dormann tested the exploit and reported his conclusions on Mastodon. According to him, holding the Ctrl key is not necessary to access the shell with BitLocker drive access. The exact mechanism is still unclear, but it appears that the “System Volume InformationFsTx” folder of a drive (which belongs to Transactional NTFS [7]) can unlock the contents of other drives. However, a user report under Dormann’s post suggests that the C drive was unlocked for them, but the D drive was not.. In the blog post, *Eclipse also writes that Microsoft apparently silently fixed one of the reported vulnerabilities. The “RedSun” vulnerability [8] from mid-April grants attackers admin rights. This appears to have been fixed with the updates from last week’s Patch Day – without, for example, a CVE vulnerability entry.. (dmk [10]). URL of this article:. https://www.heise.de/-11297192. Links in this article:. https://www.heise.de/news/Ungepatchte-Windows-Zero-Days-RedSun-UnDefend-und-BlueHammer-werden-attackiert-11263691.html. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17103. https://project-zero.issues.chromium.org/issues/42451192. https://github.com/Nightmare-Eclipse/MiniPlasma. https://www.heise.de/news/Angriff-umgeht-BitLocker-mittels-Windows-Recovery-Environment-11292642.html. https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html. https://learn.microsoft.com/de-de/windows/win32/fileio/transactional-ntfs-portal. https://www.heise.de/news/Vom-BlueHammer-Autor-Neuer-Windows-Zeroday-verschafft-Adminrechte-11260913.html. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:dmk@heise.de. Copyright © 2026 Heise Medien
heise security News