A security researcher has publicly released proof-of-concept (PoC) exploit code for two unpatched Microsoft Windows vulnerabilities — tracked informally as YellowKey and GreenPlasma — that respectively bypass BitLocker drive encryption and enable local privilege escalation. The release of working PoC code without an available Microsoft patch significantly raises the risk of exploitation by threat actors, ransomware operators, and physical-access attackers.
The Two Vulnerabilities
YellowKey — BitLocker Bypass
YellowKey targets Windows BitLocker, Microsoft's full-disk encryption technology that protects data on Windows devices. A successful exploitation of YellowKey allows an attacker with physical or local access to a BitLocker-protected device to access the contents of encrypted drives without knowledge of the BitLocker PIN or recovery key.
BitLocker is a foundational data protection control relied upon by enterprises, government agencies, and healthcare organizations to protect sensitive data on lost or stolen devices. A bypass that defeats this protection without requiring cryptographic material represents a serious breach of the BitLocker security model.
Potential attack scenarios:
- Physical theft of a laptop — attacker recovers data despite BitLocker being enabled
- Insider threat with physical access bypasses BitLocker to exfiltrate data
- Law enforcement / forensic tools leveraging the technique for device access
- Targeted espionage against personnel with encrypted devices
GreenPlasma — Privilege Escalation
GreenPlasma is a local privilege escalation (LPE) vulnerability that allows a user with standard (non-administrative) privileges to escalate to SYSTEM-level access on a vulnerable Windows machine.
LPE vulnerabilities are highly valuable to attackers because they are routinely chained with initial access techniques:
- Attacker gains low-privilege access via phishing, malware, or exploitation of another vulnerability
- GreenPlasma is used to escalate from a standard user account to SYSTEM
- With SYSTEM privileges, the attacker achieves full control of the machine
This two-stage approach (initial access + LPE) is the standard playbook for ransomware operators, nation-state APT groups, and penetration testers alike.
Why This Is Particularly Serious
The combination of YellowKey + GreenPlasma in the hands of an attacker creates a powerful chain:
| Step | Technique | Result |
|---|---|---|
| 1 | Gain low-privilege local access to target Windows machine | Foothold on the system |
| 2 | Use GreenPlasma to escalate to SYSTEM | Full OS control |
| 3 | Use YellowKey to access BitLocker-protected volumes | Access to encrypted data |
| 4 | Exfiltrate sensitive data or deploy ransomware | Full compromise |
The availability of public PoC code means these vulnerabilities are no longer theoretical — any moderately skilled attacker can attempt exploitation.
Current Patch Status
As of the May 2026 Patch Tuesday release (which fixed 120 vulnerabilities), neither YellowKey nor GreenPlasma has a Microsoft patch available. This places both vulnerabilities in the category of unpatched zero-days, meaning defenders cannot rely on vendor-supplied fixes and must implement mitigations.
Microsoft has been notified and is presumably working on patches, which may arrive in a future out-of-band (OOB) update or the June 2026 Patch Tuesday release.
Affected Versions
The researcher has not disclosed full version specifics, but based on the PoC release:
- Windows 11 (multiple versions) — confirmed affected
- Windows 10 (supported versions) — likely affected, testing ongoing
- Windows Server — exposure being assessed
Organizations should assume all supported Windows versions are affected until Microsoft provides official guidance.
Immediate Mitigations
With no patch available, defenders must rely on the following compensating controls:
For YellowKey (BitLocker Bypass)
Enable BitLocker with TPM + PIN
The standard "TPM-only" BitLocker configuration is more exposed. Enable TPM + PIN or TPM + startup key for stronger pre-boot authentication:
# Check current BitLocker protector type
Get-BitLockerVolume C: | Select-Object -ExpandProperty KeyProtector
# Add a PIN to an existing TPM-protected drive
Add-BitLockerKeyProtector -MountPoint "C:" -TpmAndPinProtectorEnable Secure Boot and Verify Boot Configuration
Ensure Secure Boot is enabled and the boot chain has not been modified:
# Check Secure Boot status
Confirm-SecureBootUEFI
# Verify TPM status
Get-TpmRestrict Physical Access
Physical security controls are the most effective immediate mitigation for BitLocker bypass attacks requiring local access:
- Implement access controls for areas where sensitive devices are stored
- Use cable locks or secure storage for unattended laptops
- Deploy device tracking and remote wipe capabilities (Microsoft Intune, etc.)
For GreenPlasma (Privilege Escalation)
Enforce Principle of Least Privilege
Ensure users operate under standard user accounts, not local administrator accounts:
# Audit local administrator group membership
Get-LocalGroupMember -Group "Administrators"
# Remove unnecessary local admin rights
Remove-LocalGroupMember -Group "Administrators" -Member "Domain\username"Enable Windows Defender Credential Guard and Device Guard
# Check Device Guard / Credential Guard status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
Select-Object -Property SecurityServicesRunningMonitor for Privilege Escalation Indicators
Configure SIEM/EDR to alert on:
- Process creation events where low-privilege processes spawn SYSTEM-level children
- Unusual SYSTEM-level token creation events (Event ID 4672 with unexpected sources)
- Modifications to sensitive registry keys by non-SYSTEM processes
- LoadLibrary calls from standard user processes targeting kernel-adjacent DLLsDeploy Endpoint Detection and Response (EDR)
EDR solutions with behavioral analysis capabilities may detect GreenPlasma exploitation based on anomalous privilege escalation behavior, even without a specific signature for the vulnerability.
Detection Opportunities
| Indicator | Event / Log Source | Description |
|---|---|---|
| Unexpected BitLocker key protector changes | Windows Security Event Log / Event 24577-24657 | Key protector add/remove outside expected maintenance |
| Process token elevation anomalies | Sysmon Event ID 1, Windows Event 4688 | Low-privilege process spawning with SYSTEM token |
| Registry modifications to BitLocker policy keys | Sysmon Event ID 13 | Unauthorized policy changes |
| Physical access alerts | Physical security systems / CCTV | Device access outside normal hours |
Unexpected manage-bde or bdehdcfg execution | Process audit logs | BitLocker management tool invocation |
Context: Previous Windows Encryption Bypass Disclosures
This is not the first time BitLocker's security model has been challenged. Notable prior disclosures include:
| Disclosure | Year | Technique |
|---|---|---|
| BitLocker TPM sniffing | 2019 | Physical TPM bus sniffing to extract encryption keys |
| BitPicker (Cold Boot Attack) | 2018 | RAM freezing to extract BitLocker keys from memory |
| GRUB2 BitLocker bypass | 2023 | Boot loader manipulation to bypass Secure Boot |
| CVE-2024-20666 | 2024 | BitLocker bypass via Windows Recovery Environment |
YellowKey appears to represent a new technique in this lineage, though full technical details remain undisclosed pending Microsoft's patch response.
Recommendations for Security Teams
| Priority | Action |
|---|---|
| Immediate | Audit BitLocker deployment — ensure TPM+PIN is enforced, not TPM-only |
| 24 hours | Restrict local administrator access — remove unnecessary local admin rights |
| 48 hours | Configure EDR behavioral rules for privilege escalation anomalies |
| 72 hours | Monitor MSRC and BleepingComputer for patch availability announcement |
| Ongoing | Apply patch immediately upon Microsoft release |