Exploit Code Released: Public PoC Dumps for Windows BitLocker Bypass and SYSTEM Elevation Zero-Days

In a escalation of hostilities against Microsoft, a researcher known as Chaotic Eclipse (operating under the alias Nightmare-Eclipse) has publicly disclosed proof-of-concept (PoC) exploit code for two major zero-day vulnerabilities. The release, published on GitHub on May 12, 2026, targets core Windows components, including a bypass for BitLocker encryption.

The researcher’s blog post suggests this move is a retaliatory strike, claiming Microsoft has failed to resolve ongoing security issues responsibly.

The most alarming of the two disclosures is YellowKey, a vulnerability that allows for a complete bypass of BitLocker drive encryption. Chaotic Eclipse describes the discovery as “insane,” suggesting that the nature of the bug almost feels like a deliberate backdoor.

The public exploit demonstrates how an attacker can gain unrestricted shell access to a protected volume using little more than a USB stick and a specific key combination during reboot.

The affected OS includes Windows 11 and Windows Server 2022/2025 (Windows 10 is reportedly unaffected). The vulnerability resides in a specific component within the Windows Recovery Environment (WinRE) image.

The researcher notes that while this component exists in normal Windows installations, only the version found in WinRE contains the specific functionalities that trigger the bypass.

“This is one of the most insane discoveries I ever found, almost feels like backdoor but what do you know, maybe I’m just insane…The component that is responsible for this bug is not present anywhere… except inside WinRE image… I just can’t come up with an explanation beside the fact that this was intentional,” the researcher wrote.

The second zero-day, GreenPlasma, targets the Windows CTFMON service and allows for an Arbitrary Section Creation Elevation of Privilege. While the researcher “stripped off” the final code needed for a full SYSTEM shell to challenge the community, the core exploit logic is now public.

The exploit creates an arbitrary memory section object in any directory object writeable by SYSTEM. Because many services and kernel-mode drivers “blindly trust” certain paths that standard users shouldn’t be able to write to, an attacker can influence these sections to manipulate data and escalate their privileges to full SYSTEM access.

This exploit was verified to work on Windows 11, Server 2022, and Server 2026.

The public availability of these exploits on GitHub drastically lowers the bar for attackers to compromise Windows systems. By dragging these vulnerabilities into the light, Chaotic Eclipse explicitly intends to force Microsoft into a difficult position.

Most ominously, the researcher warned that this is not the end: “Next patch tuesday will have a big surprise for you Microsoft. And remember, I never failed to deliver a promise”.