Researcher releases two Microsoft zero‑days

Nightmare-Eclipse, also known as Chaotic Eclipse, published two more unpatched Windows exploits on May 13, adding to a series of disclosures the researcher says were prompted by dissatisfaction with Microsoft’s bug-handling process. The two flaws, dubbed YellowKey and GreenPlasma, were described by multiple security outlets as a BitLocker bypass and a local privilege-escalation bug that can help attackers reach SYSTEM-level access. Microsoft’s May 2026 Patch Tuesday had shipped a day earlier with 120 fixes and no zero-days publicly disclosed at release, according to BleepingComputer. ### How do these two flaws differ from each other? YellowKey is the more unusual of the pair because it is framed as a BitLocker bypass tied to the Windows Recovery Environment, or WinRE. BleepingComputer reported that the researcher said the issue affects Windows 11 and Windows Server 2022 and 2025, and involves placing crafted files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell with a key sequence. (bleepingcomputer.com) GreenPlasma is a privilege-escalation flaw rather than a disk-encryption bypass. SecurityWeek reported that the exploit lets an attacker elevate privileges to SYSTEM, though the researcher published a stripped-down proof of concept rather than code that directly delivers a full SYSTEM shell. The Register separately reported that the released code still leaves work for attackers because weaponizing it is not straightforward. (bleepingcomputer.com) ### Why has YellowKey drawn the sharpest reaction? YellowKey has drawn attention because BitLocker is widely used to protect data on lost or stolen laptops. The Register quoted Forescout Vice President Rik Ferguson as saying that if the claim holds up, “a stolen laptop stops being a hardware problem and becomes a breach notification.” Bridewell cyber threat intelligence principal lead Gavin Knapp told the publication the flaw would still be “a huge security problem” for organizations using BitLocker. (securityweek.com) Kevin Beaumont, an independent security researcher, said the YellowKey exploit is valid, according to BleepingComputer. Beaumont recommended a BitLocker PIN and a BIOS password as mitigations, although BleepingComputer also reported that the researcher later claimed the underlying issue remained exploitable even in a TPM-and-PIN setup and said that version of the exploit had not been released. Will Dormann of Tharros Labs separately confirmed a USB-based version of the exploit worked, BleepingComputer reported. (theregister.com) ### What does this episode show about endpoint security? Microsoft’s own severity framework treats elevation of privilege as the ability to execute arbitrary code or obtain more privilege than authorized, underscoring why GreenPlasma matters even without remote code execution on its own. Microsoft also says in its Exploitability Index documentation that customers should use exploitability data to prioritize patching once a security update exists. In this case, no Microsoft advisory for YellowKey or GreenPlasma appeared in the sources reviewed, leaving defenders to rely on mitigations and hardening rather than a vendor patch. (bleepingcomputer.com) The Register quoted Knapp as saying that privilege-escalation bugs like GreenPlasma are often used after attackers gain an initial foothold. That sequence is familiar to enterprise defenders: an endpoint is first accessed through some other weakness, then local flaws are used to deepen control, disable protections or move toward credential theft. (microsoft.com) ### Is Microsoft saying anything publicly about the process? Microsoft’s public MSRC site says it is the company’s central hub for vulnerability reporting, coordinated response and security updates, and it invites researchers to submit vulnerability research through its portal. The site also says MSRC is holding BlueHat 2026 in May in Redmond, Washington. In the material reviewed for this story, Microsoft had not published a public advisory naming YellowKey or GreenPlasma. (theregister.com) BleepingComputer reported that the researcher said they would keep leaking undocumented Windows vulnerabilities and promised “a big surprise” for the next Patch Tuesday. That threat leaves security teams watching both Microsoft’s update guide and the researcher’s channels for the next concrete development. (bleepingcomputer.com) (microsoft.com)