Researcher Publishes Two Windows Zero-Days Exploiting BitLocker and SYSTEM Privilege Escalation

Chaotic Eclipse did not slow down. The researcher, also known as Nightmare-Eclipse, published two new proof-of-concept (PoC) exploits on GitHub on May 12, 2026, targeting core Windows components. One breaks BitLocker encryption. The other escalates user privileges to SYSTEM level through a process Windows trusts completely. Anyone can now access both on GitHub.

The disclosures follow a clear pattern. Chaotic Eclipse previously dropped a Windows Defender privilege escalation exploit on April 2, 2026, then released another on April 15.

This latest release extends what has become a sustained confrontation between the researcher and Microsoft. The researcher framed the disclosures as retaliation, claiming Microsoft has consistently failed to handle security vulnerabilities responsibly.

BitLocker falls to a USB stick

The first disclosure carries the codename YellowKey. The researcher described the underlying bug as “mad,” and the exploit lives up to that billing. It targets the Windows Recovery Environment (WinRE) component and allows an attacker to bypass BitLocker drive encryption completely.

The only requirements are physical access to the machine and a prepared USB drive. The attacker plugs it in, reboots the system, and BitLocker collapses.

The stakes of such vulnerabilities are high. U.S. Government Publishing Office employees’ data was allegedly stolen in a cyberattack and offered on the dark web, demonstrating what can happen when government data falls into the wrong hands.

Windows 11 and Windows Server 2025 systems both sit in the line of fire. The researcher published the working PoC code on GitHub alongside a sardonic note, thanking Microsoft’s internal security teams (MORSE, MSTIC, and Microsoft GHOST) by name for making the public disclosure possible.

GreenPlasma turns a trusted Windows process into a weapon

The second disclosure, GreenPlasma, targets CTFMON (ctfmon.exe), a Windows process responsible for text input features that runs with SYSTEM privileges in every active user session. The exploit plants an arbitrary memory section object and manipulates a chain of Windows registry settings and permission rules to trick CTFMON into interacting with it. 

Because many Windows services and kernel-mode drivers trust certain system paths by default, the attacker gains the ability to plant malicious code or fake DLL libraries inside memory that the operating system fully trusts.

Security researcher Het Mehta, who analyzed the exploit, confirmed the method. GreenPlasma creates an arbitrary memory section inside a directory that SYSTEM can write to, then uses that foothold to manipulate data flowing through trusted processes.

Chaotic Eclipse deliberately held back the finishing blow. The published PoC does not include the code required to complete a full SYSTEM shell. According to the GitHub documentation, the researcher framed the gap as a challenge, stating that anyone skilled enough can connect the remaining pieces and achieve full privilege escalation on their own.

A direct threat to Microsoft

Both releases arrived with a message attached. Chaotic Eclipse addressed Microsoft directly, warning that the next Patch Tuesday will carry a significant surprise. The researcher added that no promise made so far has gone undelivered.

The researcher has now published at least four public Windows exploits since early April 2026. Each one has surfaced after a Patch Tuesday, trapping Microsoft in a cycle where patching one wave simply opens the window for the next. Microsoft has not issued a public statement on YellowKey or GreenPlasma at the time of writing. Both exploits remain live on GitHub.