SECURITY

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

Microsoft Windows users face fresh zero-day threats. A BitLocker bypass and CTFMON privilege escalation have been disclosed by a security researcher. Two flaws

A cybersecurity researcher calling themselves Chaotic Eclipse just dropped two fresh zero-day flaws in Windows. One lets attackers bypass BitLocker encryption. The other pushes CTFMON to escalate privileges. Both are unpatched and under active exploitation.

By GlobalBR News · via The Hacker News

May 14, 2026 at 5:25 AM UTC

5 min read

Text size:

TL;DR

Two unpatched Windows zero-days let attackers bypass BitLocker and escalate privileges via CTFMON.

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation — A Windows 11 laptop screen showing a BitLocker encryption prompt, with a shadowed figure inserting a USB drive next to i

Key Points

Two new Windows zero-days are public but unpatched
One bypasses BitLocker encryption entirely
The other exploits CTFMON for privilege escalation

A security researcher who goes by Chaotic Eclipse has revealed two unpatched Microsoft Windows zero-days. The flaws let attackers bypass BitLocker encryption and escalate system privileges through the Windows Collaborative Translation Framework (CTFMON). Neither bug has a patch yet, and both are already being used in real attacks.

The first flaw, codenamed YellowKey, allows attackers to decrypt data protected by BitLocker without needing the correct password or recovery key. BitLocker is Microsoft’s built-in full-disk encryption tool used by businesses and consumers to protect sensitive files. This bypass means an attacker with physical access to a machine could grab encrypted data in under a minute. The flaw works on Windows 10 and 11 systems with default BitLocker settings.

How YellowKey works

YellowKey exploits a design flaw in how Windows handles BitLocker’s recovery key protection. When a system boots, Windows checks the recovery key stored in the TPM chip. Chaotic Eclipse found that an attacker can force Windows to skip this check by manipulating the boot sequence. They can then access the encrypted drive directly from another OS or live USB, bypassing the lock entirely. It’s not subtle: one researcher demoed the attack by booting a machine into a Linux live environment and copying files off an encrypted drive in seconds.

The second flaw, GreenPlasma, targets CTFMON.exe, a legitimate Windows process tied to language and input features. CTFMON normally runs with low privileges, but GreenPlasma lets a local attacker trick the system into running code with SYSTEM-level permissions. That’s the highest privilege level on Windows. An attacker could use this to install malware, steal passwords, or disable security tools.

Who’s at risk

Anyone running Windows 10 or 11 is potentially exposed. Businesses using BitLocker for compliance or data protection face the biggest risk from YellowKey. Home users aren’t spared either—an attacker with brief physical access to a laptop could walk away with sensitive files. GreenPlasma is more dangerous in shared or managed environments like offices or schools, where multiple people have local account access.

Microsoft hasn’t issued fixes yet. The company usually rolls out patches on the second Tuesday of each month, but these flaws were disclosed outside that cycle. Until a patch arrives, users should treat physical access to machines as a critical risk. For YellowKey, disallowing boot from external media in BIOS can slow down attackers. For GreenPlasma, limiting local admin rights and monitoring CTFMON.exe for unusual activity can help.

Officials at Microsoft’s security response center told The Hacker News they’re investigating both flaws. They didn’t say when to expect fixes, but they urged users to enable multi-factor authentication and keep security software updated. Independent testers confirm both flaws are reproducible and not theoretical.

The researcher behind the disclosures has a track record. Earlier this year, Chaotic Eclipse reported three Microsoft Defender flaws that were patched within weeks. That gives weight to their latest claims, but it also means attackers have had months to study and weaponize those older bugs. With two new flaws now public, the clock is ticking for Microsoft—and for anyone still running unpatched Windows systems.

What You Need to Know

Source: The Hacker News
Published: May 14, 2026 at 09:25 UTC
Category: Security
Topics: #hackernews · #security · #vulnerabilities · #cybersecurity · #windows-zero · #days-expose-bit

Read the Full Story

This is a curated summary. For the complete article, original data, quotes and full analysis:

Read the full story on The Hacker News →

All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.

Curated by GlobalBR News · May 14, 2026

🇧🇷 Resumo em Português

Um novo perigo ronda milhões de computadores brasileiros: duas brechas críticas não corrigidas no Windows, descobertas por um pesquisador de segurança, permitem contornar o BitLocker — a ferramenta de criptografia da Microsoft — e elevar privilégios via CTFMON, abrindo portas para ataques devastadores. Com a popularidade do sistema operacional no Brasil e a crescente adoção de soluções como o BitLocker para proteger dados sensíveis, a descoberta acende um alerta vermelho: sistemas vulneráveis podem ser invadidos mesmo com proteções ativas, expondo informações corporativas, governamentais e pessoais a riscos iminentes.

As falhas, classificadas como zero-days — ou seja, desconhecidas pelos desenvolvedores até serem reveladas — são especialmente preocupantes porque não há patches disponíveis no momento. O BitLocker, amplamente usado em empresas e órgãos públicos brasileiros para cifrar discos rígidos e evitar acessos indevidos, pode ser contornado com técnicas relativamente simples, enquanto a escalada de privilégios via CTFMON (um componente legítimo do Windows) permite que invasores assumam controle total do sistema. Especialistas alertam que, sem atualizações urgentes, cibercriminosos e até grupos com motivações políticas poderiam explorar as vulnerabilidades para roubar dados, implantar ransomware ou sabotar infraestruturas críticas, como já ocorreu em ataques recentes contra hospitais e universidades no país.

A Microsoft ainda não se pronunciou oficialmente sobre prazos para correções, mas a pressão sobre a gigante de tecnologia aumenta à medida que mais detalhes das falhas são divulgados publicamente. Enquanto aguardamos por atualizações, a recomendação é redobrar os cuidados: desabilitar temporariamente o BitLocker em máquinas não essenciais, restringir acessos administrativos e monitorar atividades suspeitas podem ser medidas paliativas até que a empresa libere uma solução definitiva.

Original Source

The Hacker News

Read full article at The Hacker News →

This post is a curated summary. All rights belong to the original author(s) and The Hacker News.

#hackernews #security #vulnerabilities #cybersecurity #windows-zero #days-expose-bit #locker-bypasses-and #privilege-escalation #microsoft-defender #windows-zero-day #bitlocker-bypass #ctfmon-privilege-escalation #microsoft-windows-vulnerabilities #yellowkey-zero-day #greenplasma-zero-day #windows-security-flaws-2024 #how-to-protect-from-windows-zero-days

Key Topics: Windows BitLocker CTFMON Chaotic Eclipse The Hacker News Microsoft TPM chip SYSTEM privilege level

Was this article helpful?

Discussion

Frequently Asked Questions

What is BitLocker and why does bypassing it matter?

BitLocker is Microsoft’s built-in disk encryption tool for Windows. Bypassing it means attackers can access encrypted files without the password or recovery key, even on locked or stolen laptops. It’s used by businesses and consumers to protect sensitive data, so a bypass turns that protection into a paper shield.

How serious is the CTFMON privilege escalation flaw?

GreenPlasma lets a local attacker run any code with the highest privilege level on Windows, called SYSTEM. That’s the same level antivirus software and the operating system itself use. It’s a straight path to installing malware, stealing credentials, or disabling defenses without raising alarms.

Are these flaws already being used in real attacks?

Yes. The researcher who found both flaws says they’re being actively exploited in the wild. That means attackers are already using them to break into systems, steal data, or move laterally within networks. There’s no waiting period left for patching.

What can users do to protect themselves right now?

Until Microsoft patches these flaws, disable booting from external media in BIOS, limit local admin rights, and watch for unusual activity around CTFMON.exe. Also, keep all Windows updates installed and enable multi-factor authentication wherever possible. Treat any physical access to machines as a potential risk.

When will Microsoft release fixes for these zero-days?

Microsoft hasn’t given a timeline. They’re still investigating both flaws, but they typically patch critical issues outside the regular schedule when attacks escalate. Users should assume patches won’t arrive for at least a few weeks and plan accordingly.

`/`	Focus search
`j`	Next post
`k`	Previous post
`h`	Go home
`?`	Show this help

How YellowKey works

Who’s at risk

What You Need to Know

Read the Full Story

🇧🇷 Resumo em Português

Discussion

Frequently Asked Questions

Related Articles

Grafana confirms GitHub breach but says no customer data was stolen

Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Sk...

Android 16 bug lets apps bypass VPNs and leak your IP address

Get today's top stories →