YellowKey, GreenPlasma, RedSun: Three Unpatched Windows Zero-Days the Security World Is Watching Right Now
Picture this: someone walks into your office, plugs a USB stick into an employee's laptop, and five minutes later walks out with access to everything on that encrypted drive. Or imagine an employee with no admin rights running a simple script on a company computer and gaining full control of the operating system — no alert from the antivirus, no log entry, nothing to suggest anything happened at all.
These aren't hypothetical scenarios. They are real, working attack vectors that exist right now, with publicly available exploit code — and no patch from Microsoft for any of them.
They're called YellowKey, GreenPlasma, and RedSun. All three were released by the same researcher, operating under the aliases Nightmare-Eclipse and Chaotic Eclipse — and all three stem from his long-running frustration with how Microsoft handles reported security vulnerabilities. Or rather, fails to handle them.
What Is a Zero-Day — and Why Does This Situation Feel Different
Before we go deeper: a zero-day vulnerability is one that exists in software but hasn't been patched by the vendor yet. Attackers have a working exploit while defenders wait for a fix.
What makes this situation particularly serious is that all three exploits are publicly available on GitHub as functional code. An attacker doesn't need deep technical knowledge to use them — download, run, done. That's what turns these from theoretical vulnerabilities into an immediate threat for organisations that aren't even primary targets of sophisticated groups.
YellowKey — BitLocker No Longer Protects Your Data
What This Is About
BitLocker is Windows' built-in full-disk encryption. If your laptop has BitLocker enabled, the assumption is that anyone who steals it — or gains brief physical access — cannot read the data on the drive. It's encrypted.
YellowKey breaks that assumption entirely. The attacker doesn't need to know your password or PIN. They don't need to crack any encryption. All they need is a USB stick with specially crafted files and five minutes alone with your machine.
Technical Card
Parameter | Value |
|---|---|
Name | YellowKey |
Vulnerability type | BitLocker bypass via Windows Recovery Environment (WinRE) |
CVE | Not assigned — Microsoft has not formally acknowledged the vulnerability |
CVSS score | Not assigned — expert estimate: ~6.1–6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) |
Requires physical access | Yes — direct access to the device or its hard drive |
Requires password / login | No |
Public exploit (PoC) | Yes — available on GitHub since May 12, 2026 |
Actively exploited in the wild | Confirmed |
Patch | Does not exist |
Microsoft statement | "We are actively investigating the validity and potential applicability of these claims across our platforms and services" |
How the Attack Works
YellowKey exploits a flaw in the Windows Recovery Environment (WinRE) — the repair environment Windows boots into when troubleshooting or recovering the system. Specifically, it abuses how WinRE replays NTFS transaction logs from a folder called FsTx on an attached drive.
In practice, the attack works as follows: the attacker prepares a USB stick containing a specially crafted FsTx folder, plugs it into the target machine, and reboots into WinRE — either by interrupting the boot sequence a few times or via Shift+Restart. While WinRE loads, they hold the CTRL key. Instead of a locked recovery menu, a command prompt opens — and the BitLocker-protected volume is already unlocked.
If the attacker can remove the physical drive from a device long enough to write the FsTx folder directly to the EFI system partition, the exploit triggers on the next normal boot — no USB stick required, no attacker presence needed.
Which Operating Systems Are Affected
The vulnerability affects Windows 11 in all editions, Windows Server 2022, and Windows Server 2025. The risk specifically applies to devices where BitLocker is configured in TPM-only mode, without a PIN — which happens to be the default setting on the vast majority of corporate laptops.
What an Attacker Can Do After a Successful Exploit
Read, copy, or delete everything on the encrypted drive. Install malware directly into system files. Harvest stored passwords, certificates, and cryptographic keys — everything that was previously considered protected by encryption.
GreenPlasma — Privilege Escalation via the CTFMON System Process
What This Is About
GreenPlasma is the second vulnerability from the same researcher, released one day after YellowKey on May 13, 2026. An attacker who gains access to a machine as a regular user — through a phishing email or a compromised account, for example — can use GreenPlasma to escalate to SYSTEM privileges: the highest permission level in Windows.
Technical Card
Parameter | Value |
|---|---|
Name | GreenPlasma |
Vulnerability type | Local Privilege Escalation via CTFMON |
CVE | Not assigned — Microsoft has not formally acknowledged the vulnerability |
CVSS score | Not assigned — expert estimate: ~7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
Requires physical access | No — remote or local access with a low-privileged account is sufficient |
Requires password / login | Yes — the attacker must be logged in as any user |
Public exploit (PoC) | Partial — intentionally incomplete code released (final component withheld) |
Actively exploited in the wild | Not confirmed as a standalone attack vector |
Patch | Does not exist |
Microsoft statement | "We are actively investigating the validity and potential applicability of these claims across our platforms and services" |
How the Attack Works
CTFMON (ctfmon.exe) is a Windows system process that runs in every interactive session and handles text input services. Because it runs with SYSTEM privileges, it's an attractive target for anyone looking to gain those privileges.
GreenPlasma exploits how Windows manages named objects in the kernel's Object Manager namespace. The attacker places a symbolic link at a location where the privileged CTFMON process expects to find a CTF session object. When CTFMON — or another privileged component — opens that object, it actually reaches an attacker-controlled location in memory.
By combining two techniques — an Object Manager symlink placed on a CTF session object, and registry link abuse via the CloudFiles policy structure — the attacker can force a system-level process to write or execute attacker-supplied code with SYSTEM rights.
The publicly available code is intentionally incomplete. The researcher noted explicitly: "If you know what you're doing, you can turn this into a full privilege escalation." For a skilled attacker, that's not a significant obstacle.
Which Operating Systems Are Affected
The vulnerability affects Windows 11 in all editions, Windows Server 2022, and Windows Server 2025.
RedSun — Microsoft Defender Turned Against Itself
What This Is About
Of the three vulnerabilities described here, RedSun is arguably the most serious — and the most paradoxical. It exploits Microsoft Defender itself: the antivirus software that's supposed to protect the machine becomes the entry point for the attack.
The vulnerability works on fully patched Windows 10 and Windows 11, with an estimated exploit success rate of approximately 100%. Defender is active on virtually every Windows device, either as the primary protection or as a secondary layer running alongside other tools. That makes the potential attack surface enormous.
Active exploitation in real-world attacks has been confirmed since April 16, 2026. This is not a theoretical threat sitting in a lab — it is live.
Technical Card
Parameter | Value |
|---|---|
Name | RedSun |
Vulnerability type | Local Privilege Escalation via Microsoft Defender remediation |
CVE | Related vulnerability BlueHammer: CVE-2026-33825 — RedSun is a distinct exploitation technique without its own CVE |
CVSS score | 7.8 High (assigned to related BlueHammer; RedSun has no independent CVSS rating yet) |
Requires physical access | No |
Requires password / login | Yes — the attacker must be logged in as any user without admin rights |
Public exploit (PoC) | Yes — fully functional, available since April 16, 2026 |
Actively exploited in the wild | Confirmed — real attacks recorded since April 2026 |
Patch | Does not exist (BlueHammer was patched; RedSun is a separate technique and remains unpatched) |
Microsoft statement | No separate statement regarding RedSun specifically |
How the Attack Works
Defender includes a feature that, upon detecting a malicious file tagged with a cloud marker, attempts to "restore" that file to its original location on disk. This restore operation runs with NT AUTHORITY\SYSTEM privileges. The critical flaw: Defender does not validate whether the target path has been tampered with.
RedSun exploits this gap. The attacker first creates a file that triggers a Defender detection. The file is then replaced with a cloud placeholder via the Windows Cloud Files API. Defender initiates a rollback — trying to restore the file. Meanwhile, using an NTFS junction and an opportunistic lock, the attacker pauses the restore operation and redirects the target path to C:\Windows\System32. Defender completes the write with SYSTEM privileges — but the file lands in the system directory rather than its original location.
The attacker then replaces the system binary TieringEngineService.exe with their own code and activates it via COM. The result is a SYSTEM shell — obtained without admin rights, without any user interaction, and without triggering a visible alert.
Which Operating Systems Are Affected
Effectively every Windows computer or server with Defender enabled: Windows 10 in all versions, Windows 11 in all versions, Windows Server 2016, 2019, 2022, and 2025. The scope of potentially affected devices is enormous.
What to Do Right Now — Before the Patch Arrives
There is no patch. But that doesn't mean there's nothing to do. The right mitigations can either block these exploits outright or raise the bar for attackers significantly enough to matter.
Mitigations for YellowKey
The single most effective step available today is enabling TPM+PIN on all devices that hold sensitive data. YellowKey relies on BitLocker's auto-unlock feature at boot — if a PIN is required, the exploit simply does not work. This is the most important mitigation right now.
Check your current BitLocker configuration with the command manage-bde -protectors -get C:. If you see only TPM listed as a protector, it's time to add a PIN.
Consider disabling WinRE on devices where operations allow it (reagentc /disable). The entire vulnerability lives inside the WinRE image — without WinRE, there's nowhere for the exploit to run. Additionally, physically secure devices that hold sensitive data: cable locks, locked storage areas, movement logging.
Disabling USB boot in BIOS/UEFI and setting a BIOS password will raise the bar for the USB variant of the attack, but won't eliminate the EFI partition variant — keep that in mind.
Mitigations for GreenPlasma
The key here is application allowlisting — a policy that permits only approved applications to run. Windows Defender Application Control or AppLocker can prevent unauthorised code from executing in the first place. Without that code running, the entire exploit has no starting point.
It's also worth reviewing who in your organisation has more local privileges than they actually need. GreenPlasma requires an already-logged-in user to work — the less privilege that user has, the smaller the impact of a successful attack.
In your EDR, configure monitoring for unusual ctfmon.exe behaviour: process spawning, network connections, or file access outside C:\Windows\System32\CTF are all worth flagging.
Mitigations for RedSun
If your organisation uses a third-party security product instead of Microsoft Defender — CrowdStrike, SentinelOne, Sophos, ESET, or similar — you are significantly less exposed. The flaw is specific to the way Defender handles file remediation, and other products do not share this logic.
If you rely on Defender as your primary protection, consider supplementing it with a third-party EDR or significantly increasing monitoring coverage. And the fundamental principle still applies: RedSun needs executable code on the target machine first. A strong phishing awareness programme, application control, and restricted local admin rights are the first line of defence — before the exploit even gets a chance to run.
What to Monitor — Detection Signals
If you have an EDR or SIEM deployed, the following behavioural patterns are worth configuring detections or alerts for.
For YellowKey: An unknown USB device connected immediately before a reboot into WinRE. The presence of an FsTx folder on USB media or the EFI partition. Unusual access to a BitLocker-protected volume from within the Windows Recovery Environment.
For GreenPlasma: Creation of symbolic links in the Object Manager namespace. Unexpected process spawning or network activity originating from ctfmon.exe. SYSTEM-level processes launched from a user context.
For RedSun: Defender remediation operations directing file writes toward C:\Windows\System32. Writes to system executables, particularly TieringEngineService.exe. COM activation of Storage Tiers Management (MSStorageSync) from an unexpected context. A SYSTEM shell process spawned from MsMpEng.exe — Defender's own process.
What to Do When Microsoft Releases the Patch
Patches for all three vulnerabilities are expected on Patch Tuesday in June 2026, or earlier as an out-of-band emergency update if exploitation activity escalates significantly.
When the patch arrives, apply it within 24 to 48 hours. The exploits are public and attackers actively monitor patching activity — delay translates directly into risk.
For YellowKey in particular, be prepared for the fact that a standard Windows Update may not be sufficient. Fixes for WinRE vulnerabilities typically require updating the recovery image directly on disk — usually via reagentc /update or a dedicated tool that Microsoft will include with the patch. Verify that the fix has been applied on all devices, including remote workers and machines outside your standard management scope.
After a RedSun patch is available, audit your logs from April and May 2026 for unusual privilege escalations that might indicate the vulnerability was already exploited in your environment before you were aware of it.
The Bigger Picture
YellowKey, GreenPlasma, and RedSun point to a problem the security community has discussed for years: the components we trust most — disk encryption, antivirus software, core system processes — can themselves become attack vectors. And with functional exploit code publicly available, the technical barrier for attackers is lower than it has ever been.
Until Microsoft ships a patch, the combination of mitigations described above and heightened monitoring is the right response. If you're unsure how your organisation stands against these threats, or want a rapid review of your exposure, get in touch.
Free initial consultation. We respond within 24 hours.
CypherOn is actively monitoring the development of these vulnerabilities and will update this advisory as new information becomes available. Last updated: 18 May 2026.
Microsoft official source: Microsoft MSRC CVE-2026-33825