A security researcher has publicly dropped two previously unknown Windows zero-day exploits — dubbed YellowKey and GreenPlasma — without coordinating disclosure with Microsoft. The public release puts Windows users at immediate risk from both a drive encryption bypass and an elevation of privileges attack.
YellowKey: BitLocker Bypass
YellowKey is a BitLocker bypass exploit that allows an attacker with physical access to a Windows device to circumvent Microsoft's full-disk encryption. While the physical access requirement limits remote exploitation, the bypass is significant in scenarios involving:
- Stolen or lost laptops
- Physical security breaches
- Insider threats with brief physical device access
- Law enforcement or forensic scenarios on locked devices
BitLocker is widely used by enterprises to protect sensitive data at rest. A successful bypass could expose confidential documents, credentials, encryption keys, and other data even when the device is powered off or locked.
The technical mechanism of YellowKey takes advantage of a flaw in how BitLocker validates the pre-boot environment, potentially enabling an attacker to boot into a state where disk encryption can be bypassed or the recovery key extracted.
GreenPlasma: Elevation of Privileges to SYSTEM
GreenPlasma is a local privilege escalation (LPE) exploit that allows a low-privileged Windows user to escalate their permissions to SYSTEM — the highest privilege level on a Windows machine. This class of vulnerability is commonly chained with other exploits in real-world attacks:
- Attacker gains initial foothold via phishing or RCE with limited privileges
- GreenPlasma is deployed to escalate to SYSTEM
- Attacker now has full control over the compromised host
SYSTEM-level access enables an attacker to:
- Disable antivirus and endpoint detection tools
- Dump credential hashes from memory (LSASS)
- Install persistent backdoors or rootkits
- Access any file or resource on the system
Disclosure Concerns
The researcher released both exploits publicly without prior notification to Microsoft, bypassing responsible disclosure practices. This leaves Windows users unpatched and exposed until Microsoft issues an emergency fix or the next Patch Tuesday cycle.
This follows a recent pattern of so-called "full disclosure" drops where researchers frustrated with vendor response times — or seeking to demonstrate severity — release working exploit code without a coordinated patch timeline.
Microsoft has not yet acknowledged the vulnerabilities or issued an advisory as of publication.
What Windows Users Should Do
Until official patches are released:
For YellowKey (BitLocker bypass):
- Enable pre-boot authentication with a strong PIN in addition to TPM
- Enable Secure Boot and ensure UEFI firmware is up to date
- Physically secure devices and monitor for unauthorized physical access
- Consider enabling BitLocker Network Unlock policies where appropriate
For GreenPlasma (Privilege Escalation):
- Apply Principle of Least Privilege — ensure users do not run with unnecessary administrative rights
- Enable Windows Defender Exploit Guard and Attack Surface Reduction (ASR) rules
- Monitor for anomalous privilege changes using Windows Event Logs (Event ID 4672, 4697)
- Keep endpoint detection and response (EDR) tools current and active
General:
- Watch for Microsoft security advisories and apply emergency patches as soon as they are released
- Monitor Microsoft's Security Update Guide for out-of-band updates
References
- SecurityWeek: Researcher Drops YellowKey, GreenPlasma Windows Zero-Days
- Microsoft Security Response Center (MSRC)
- Related: 2026-04-06 Windows BluehHammer Zero-Day