Nightmare-Eclipse Discloses 2 Windows Zero-Days That Bypass BitLocker and Gain SYSTEM Access
Updated
Updated · cybersecurity-insiders.com · Jun 9
Nightmare-Eclipse Discloses 2 Windows Zero-Days That Bypass BitLocker and Gain SYSTEM Access
3 articles · Updated · cybersecurity-insiders.com · Jun 9
Summary
YellowKey and GreenPlasma let attackers with limited local access abuse trusted Windows components to bypass BitLocker and escalate privileges, challenging assumptions that default protections and EDR can contain post-compromise activity.
YellowKey targets the Windows recovery interface: physical access, a reboot and an active USB port can expose encrypted drives and sensitive data such as documents, cached credentials, tokens and browser information.
GreenPlasma abuses the CTFMON text-input process to alter protected memory and elevate a standard user to SYSTEM, enabling credential theft, lateral movement, security-tool tampering and persistence.
65% faster lateral movement in CrowdStrike’s 2026 threat report and Verizon’s finding that 54% of ransomware victims appeared in infostealer dumps underscore how quickly local footholds can expand into wider breaches.
The disclosure adds to Nightmare-Eclipse’s recent Windows findings and pushes organizations to harden BitLocker recovery paths, trim local privileges, monitor credential exposure and test stolen-device and insider-threat scenarios.
If attackers use Windows' own tools, how can companies distinguish friend from foe on their networks?
As one researcher repeatedly breaks Windows, are its built-in security features fundamentally flawed?
With BitLocker bypassed in 60 seconds, is data on a stolen laptop truly safe anymore?
Active Windows Zero-Days and BitLocker Bypass: The Nightmare-Eclipse Saga and Its Impact on Security (April–June 2026)
Overview
In April and May 2026, critical Windows zero-day vulnerabilities were publicly disclosed by the researcher Nightmare-Eclipse, who also goes by Chaotic Eclipse. Frustrated by Microsoft's unresponsive bug bounty program and actions like account deletions and GitHub freezes, Nightmare-Eclipse released these vulnerabilities after feeling ignored. This led to real-world exploitation, as attackers quickly adopted the disclosed tools and exploits. The situation highlights the risks when responsible disclosure breaks down, showing how poor vendor-researcher relations can directly result in increased threats to users and organizations.