Mystery Microsoft bug leaker keeps the zero-days coming

An anonymous security researcher known as Nightmare-Eclipse has revealed two new Windows zero-day vulnerabilities, YellowKey and GreenPlasma, just after Microsoft’s recent Patch Tuesday. The disclosures, which include technical details and partial exploit code, heighten concerns about ongoing security risks and the potential for malicious exploitation.

Nightmare-Eclipse has publicly shared details of YellowKey, a flaw that allows bypassing BitLocker encryption with physical access, and GreenPlasma, a privilege escalation vulnerability that could give attackers SYSTEM-level control. The researcher described YellowKey as ‘one of the most insane discoveries I ever found,’ providing files that enable attackers to load onto a USB drive and gain unrestricted shell access if the sequence is correctly entered.

Experts warn that, despite requiring physical access, YellowKey significantly increases risks for stolen laptops, as bypassing BitLocker effectively renders the encryption ineffective. Rik Ferguson, VP of security intelligence at Forescout, stated, ‘If [the claim] holds up, a stolen laptop stops being a hardware problem and becomes a breach notification.’ Cyber threat analysts note that implementing additional security measures like PINs and BIOS passwords can mitigate YellowKey. Meanwhile, GreenPlasma, which is only partially exploitable in its current form, could be weaponized to escalate privileges once a system is compromised, according to security professionals.

Why It Matters

This development is significant because it underscores the persistent threat posed by zero-day vulnerabilities and the potential for malicious actors to exploit them. The disclosures come amid ongoing concerns about security vulnerabilities that can be weaponized for data theft, ransomware, or unauthorized access. The fact that the researcher has released multiple exploits this year suggests a campaign that could undermine trust in Windows security and complicate patch management for organizations.

Background

Nightmare-Eclipse, also known as Chaotic Eclipse, first emerged as a security researcher who released proof-of-concept exploits for Windows vulnerabilities earlier this year, including BlueHammer, RedSun, and UnDefend. The leaks followed an apparent personal grievance, with the researcher claiming breaches of trust and a desire to retaliate against Microsoft. The previous disclosures have already been exploited in the wild, prompting Microsoft to issue patches for some, but not all, of these vulnerabilities.

YellowKey and GreenPlasma are the latest in a series of five zero-days disclosed this year. The researcher has indicated that more exploits are available, potentially with a ‘dead man’s switch’ ready to activate, suggesting an ongoing campaign of disclosures and potential attacks.

“If [the researcher’s claim] holds up, a stolen laptop stops being a hardware problem and becomes a breach notification.”

— Rik Ferguson, VP of security intelligence at Forescout

“YellowKey remains a huge security problem for organizations using BitLocker. It can be mitigated by implementing a PIN and BIOS password.”

— Gavin Knapp, cyber threat intelligence lead at Bridewell

“The same post linking yesterday’s releases warns of another Patch Tuesday surprise and hints at future RCE disclosures. They claim to have a dead man’s switch with more ready to go.”

— Ferguson

Yubico – Security Key C NFC – Basic Compatibility – Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified

POWERFUL SECURITY KEY: The Security Key C NFC is the essential physical passkey for protecting your digital life…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What Remains Unclear

It is not yet clear whether Microsoft will release patches addressing YellowKey and GreenPlasma in upcoming updates. The full technical details and exploit code for GreenPlasma are incomplete, requiring further analysis to determine the actual risk level. The credibility of the researcher’s claims and the potential for active exploitation remain under assessment.

Beamo Kali Linux Bootable USB Drive 32GB USB 3.0 – Live USB & Installer for Penetration Testing, Ethical Hacking & Cybersecurity, Pre-Loaded Kali 2025.2, Dual USB-A & USB-C, UEFI & Legacy Boot

READY TO BOOT OUT OF THE BOX: Pre-loaded with Kali Linux 2025.2 on a 32GB drive, so there's…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What’s Next

Microsoft has not publicly commented on these disclosures. Security experts expect the company to investigate the vulnerabilities and potentially include fixes in future Patch Tuesday releases. Organizations are advised to review security protocols and consider mitigations for physical access attacks, such as BIOS passwords and PIN protections.

Key Questions

Are these vulnerabilities already being exploited in the wild?

There is currently no confirmed evidence of active exploitation. However, the researcher has provided technical details and partial code, which could be weaponized by attackers once analyzed.

Will Microsoft patch these vulnerabilities?

Microsoft has not yet announced any patches. It is possible they will address these in upcoming security updates if the vulnerabilities are confirmed and deemed critical.

What can organizations do to protect themselves?

Organizations should implement additional security measures such as BIOS passwords, BitLocker PINs, and physical security controls. Monitoring for unusual activity and applying patches promptly remain essential.

Who is the researcher behind these disclosures?

The individual is known as Nightmare-Eclipse or Chaotic Eclipse, and they have a history of releasing Windows vulnerabilities, citing personal grievances and trust violations as motivations.