Mystery Microsoft bug leaker keeps the zero-days coming

An anonymous security researcher, known as Nightmare-Eclipse, has publicly disclosed two new zero-day vulnerabilities in Microsoft Windows, just after the company’s monthly Patch Tuesday updates. These disclosures include a BitLocker bypass called YellowKey and a privilege escalation flaw named GreenPlasma, both of which pose serious security risks. The leaks come amid a series of previously disclosed zero-days by the same researcher, raising concerns about ongoing threats to Windows systems.

Nightmare-Eclipse, who has previously exposed three Windows zero-days this year, released technical details and partial exploit code for YellowKey and GreenPlasma. YellowKey allows an attacker with physical access to load a USB-based payload that grants unrestricted shell access to a BitLocker-encrypted machine, effectively bypassing Windows’ encryption protections. Experts warn that, despite requiring physical access, this flaw significantly increases the risk for stolen laptops, as it can turn hardware theft into a data breach.

GreenPlasma is a privilege escalation vulnerability that can be exploited to gain SYSTEM-level access on affected systems. While the researcher provided partial exploit code, it currently triggers a User Account Control (UAC) prompt, meaning a fully silent exploit is not yet available. Cybersecurity professionals note that such privilege escalation flaws are often exploited after initial system compromise, enabling attackers to harvest credentials and move laterally across networks.

Why It Matters

The disclosures of YellowKey and GreenPlasma are significant because they expose critical vulnerabilities in Windows security defenses just after Microsoft released patches, potentially undermining the effectiveness of those updates. The fact that the researcher has released technical details and partial exploits suggests that malicious actors could develop weaponized versions, increasing the risk of targeted attacks, especially on organizations using BitLocker for device encryption. The leaks also highlight ongoing tensions and vulnerabilities in Microsoft’s security posture, which could have widespread implications for enterprise and individual users alike.

Background

Nightmare-Eclipse began leaking Windows zero-days earlier this year, including BlueHammer, RedSun, and UnDefend, which targeted privilege escalation and denial-of-service flaws. The researcher claims to be retaliating against Microsoft following a breach of trust, and has indicated they possess a ‘dead man’s switch’ with more exploits ready to release. Previous disclosures have been exploited in real-world attacks, raising alarms about the potential for widespread exploitation of these vulnerabilities.

“If these claims hold up, a stolen laptop stops being a hardware problem and becomes a breach notification.”

— Rik Ferguson, VP of security intelligence at Forescout

“YellowKey remains a huge security problem for organizations using BitLocker, though mitigation involves using a PIN and BIOS password.”

— Gavin Knapp, cyber threat intelligence lead at Bridewell

“The same post linking yesterday’s releases warns of another Patch Tuesday surprise and hints at future RCE disclosures. They claim to have a dead man’s switch with more ready to go.”

— Ferguson

What Remains Unclear

It remains unclear whether Microsoft is aware of the full extent of these vulnerabilities or has plans for immediate fixes beyond the standard Patch Tuesday updates. The technical viability of fully weaponized exploits based on the leaked information is still uncertain, and the threat level depends on how quickly malicious actors can develop and deploy functional exploits.

What’s Next

Microsoft is likely to investigate the disclosed vulnerabilities and may release targeted security updates addressing YellowKey and GreenPlasma. Security professionals recommend organizations implement additional safeguards like PINs and BIOS passwords to mitigate physical access risks. Monitoring for exploitation attempts following these disclosures will be critical in the coming weeks.

Key Questions

What is YellowKey and how does it work?

YellowKey is a zero-day vulnerability that allows an attacker with physical access to a Windows device to bypass BitLocker encryption by loading a malicious USB drive, granting unrestricted shell access.

What is GreenPlasma and why is it dangerous?

GreenPlasma is a privilege escalation flaw that can potentially allow attackers to gain SYSTEM-level access, enabling further malicious activities such as credential harvesting and lateral movement.

Are these vulnerabilities already being exploited?

There is no confirmed evidence of active exploitation yet, but the researcher’s partial exploit code and previous disclosures suggest that malicious actors could rapidly develop weaponized exploits.

What should organizations do to protect themselves?

Organizations should implement additional security measures such as setting BIOS passwords and using BitLocker PINs, monitor for suspicious activity, and apply official patches once released by Microsoft.

Will Microsoft release patches for these vulnerabilities?

Microsoft has not officially confirmed updates for YellowKey and GreenPlasma yet, but they are likely to address these issues in upcoming security patches following the disclosures.