Close Menu
    What's Hot

    Here’s Why Anthropic Is Pushing States to Regulate AI Faster

    Astronomers Find an Atmosphere on a Nearby Earthlike Planet

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    Facebook X (Twitter) Instagram
    Trending
    • Here’s Why Anthropic Is Pushing States to Regulate AI Faster
    • Astronomers Find an Atmosphere on a Nearby Earthlike Planet
    • Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
    • Wildfire Smoke Shutters Parks and Shuffles Visitors
    • Jensen Huang says the more AI is used, the more ‘we have to hire’
    • Opinion | A Test Isn’t Racist. Assumptions About Black Kids Can Be.
    • Iran condemns ‘barbaric’ US attack near children’s cancer hospital | US-Israel war on Iran News
    • Orphanage Fire Kills Eleven in Algeria
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

    adminBy adminMay 14, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

    An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON).

    The security defects have been codenamed YellowKey and GreenPlasma, respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse.

    The researcher described YellowKey as “one of the most insane discoveries I ever found,” likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment (WinRE), a built-in framework designed to troubleshoot and repair common unbootable operating system issues.

    YellowKey affects Windows 11 and Windows Server 2022/2025. At a high level, it involves copying specially crafted “FsTx” files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key.

    “I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden,” the researcher explained. “Second thing is, no, TPM+PIN does not help, the issue is still exploitable regardless.”

    Security researcher Will Dormann, in a post shared on Mastodon, said, “I was able to reproduce [YellowKey] with a USB drive attached,” adding, “it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.”

    Cybersecurity

    “While the TPM-only BitLocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed,” Dormann pointed out. “To me, this in and of itself sounds like a vulnerability.”

    The second vulnerability flagged by Chaotic Eclipse is a case of privilege escalation security that could be exploited to obtain a shell with SYSTEM permissions. It arises as a result of what has been described as Windows CTFMON arbitrary section creation.

    The released proof-of-concept (PoC) is incomplete and lacks the necessary code to obtain a full SYSTEM shell. In its current form, the exploit can allow an unprivileged user to create arbitrary memory section objects within directory objects writable by SYSTEM, potentially enabling manipulation of privileged services or drivers that implicitly trust those paths, as a standard user does not have write access to the locations.

    The development comes nearly a month after the researcher published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft’s handling of the vulnerability disclosure process. The shortcomings have since come under active exploitation in the wild.

    While BlueHammer was officially assigned the identifier CVE-2026-33825 and patched by Microsoft last month, Chaotic Eclipse said the tech giant appears to have “silently” addressed RedSun without issuing any advisory.

    “I hope you at least attempt to resolve the situation responsibly, I’m not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer,” the researcher said. “The fire will go as long as you want, unless you extinguish it or until there nothing left to burn.”

    Chaotic Eclipse also promised a “big surprise” for Microsoft, coinciding with the next Patch Tuesday release in June 2026.

    When reached for comment, a Microsoft spokesperson had previously told The Hacker News that it “has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible,” and that it supports coordinated vulnerability disclosure, which the company said “helps ensure issues are carefully investigated and addressed before public disclosure.”

    BitLocker Downgrade Attack Uncovered

    The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes.

    “The principle is as follows: the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM,” Intrinsec said.

    “However, when a second WIM is added to the SDI with a modified blob table, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (controlled by the attacker). This second WIM contains a WinRE image infected with ‘cmd.exe,’ which executes with the decrypted BitLocker volume.”

    Cybersecurity

    While fixes released by Microsoft in July 2025 plugged this security defect in July 2025, security researcher Cassius Garat said the problem lies in the fact that Secure Boot only verifies a binary’s signing certificate, not its version. As a result, a vulnerable version of “bootmgfw.efi” that does not contain the patch and is signed with the trusted PCA 2011 certificate can be used to get around BitLocker safeguards.

    It’s worth noting that Microsoft plans to retire the old PCA 2011 certificates next month. “And as long as it is not revoked, even an old, vulnerable boot manager can be loaded without triggering an alert,” Intrinsec noted. To pull off the attack, a bad actor needs to have physical access to the target machine.

    To counter the risk, it’s essential to enable a BitLocker PIN at startup for preboot authentication and migrate the boot manager to the CA 2023 certificate and revoke the old PCA 2011 certificate.

    BitLocker Bypasses CTFMON Escalation expose Privilege Windows ZeroDays
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleWendy’s restaurants abroad are about to break the biggest color rule of food branding
    Next Article Tech Companies Lobbied Away Stricter Rules On Gas-Powered Data Centers
    admin
    • Website

    Related Posts

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    July 16, 2026

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    July 16, 2026

    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Here’s Why Anthropic Is Pushing States to Regulate AI Faster

    Astronomers Find an Atmosphere on a Nearby Earthlike Planet

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    Wildfire Smoke Shutters Parks and Shuffles Visitors

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by