An anonymous cybersecurity researcher has returned with two more unpatched Windows zero-day vulnerabilities, following an earlier disclosure of three Microsoft Defender flaws. The new disclosures — codenamed YellowKey and GreenPlasma — target BitLocker drive encryption and the Windows Collaborative Translation Framework (CTFMON) respectively, exposing Windows systems to bypass and privilege escalation attacks without an official Microsoft patch in place.
The New Zero-Days at a Glance
| Codename | Component | Impact | Patch Available |
|---|---|---|---|
| YellowKey | BitLocker (drive encryption) | Bypass full-disk encryption protection | No |
| GreenPlasma | CTFMON (Collaborative Translation Framework) | Local privilege escalation | No |
Both vulnerabilities were disclosed publicly by the anonymous researcher without prior coordination with Microsoft — a full disclosure approach that puts Microsoft in the position of racing to develop and ship patches while the details are already public.
YellowKey: BitLocker Bypass
YellowKey targets BitLocker, Microsoft's full-disk encryption solution built into Windows. BitLocker is widely deployed by enterprises and government organizations as a critical data protection control — its entire value proposition rests on the assumption that encrypted drives cannot be accessed without the correct credentials or recovery key.
A successful BitLocker bypass would allow an attacker with physical access to a protected device — or in certain exploitation scenarios, remote access to a system during its boot or authentication phase — to access encrypted data without the decryption key. This undermines one of the core defenses against:
- Theft of laptops and workstations containing sensitive data
- Forensic circumvention by attackers seeking to extract credentials or confidential files
- Supply chain interception scenarios where devices are accessed in transit
The exact technical mechanism of the YellowKey bypass has been disclosed alongside a proof-of-concept. Microsoft has not yet issued an advisory or patch for this vulnerability.
GreenPlasma: CTFMON Privilege Escalation
GreenPlasma targets the Windows Collaborative Translation Framework Monitor (CTFMON), a system process responsible for managing input method editors (IMEs), handwriting recognition, speech recognition, and accessibility features in Windows.
CTFMON runs with elevated privileges and has historically been a target for privilege escalation research — its complex input handling and inter-process communication interfaces have been the subject of prior academic and security research.
The GreenPlasma exploit allows a local attacker (or malware already running on the system) to escalate privileges — gaining higher-level access than their account is authorized to hold. Combined with an initial access vector (such as a phishing email or web exploit), GreenPlasma would allow an attacker to move from a standard user context to SYSTEM or administrator level on the compromised machine.
This type of local privilege escalation (LPE) is a standard component of post-exploitation attack chains:
Initial access (low privilege)
→ GreenPlasma LPE exploit
→ SYSTEM-level access
→ Credential dumping (LSASS)
→ Lateral movement
→ Domain compromiseContext: Part of a Series From the Same Researcher
This disclosure follows the same anonymous researcher's earlier publication of three Microsoft Defender vulnerabilities. The pattern suggests a researcher with significant Windows internals knowledge who is choosing full disclosure — releasing technical details and proof-of-concept code publicly rather than through coordinated disclosure with Microsoft.
The motivations behind such disclosure approaches vary: frustration with slow vendor response times, philosophical commitment to public security research, or demonstration of research capability. Regardless of motivation, the result is the same: working exploit code is publicly available for vulnerabilities that do not yet have patches.
Why This Matters for Organizations
Unpatched zero-days with public PoC code represent a high-urgency threat:
- Threat actors monitor vulnerability disclosure channels and often weaponize public PoCs within hours
- Without a Microsoft patch, there are no automatic protections through Windows Update
- Organizations must rely on compensating controls until an official fix is available
| Risk Factor | Impact |
|---|---|
| Public PoC available | Exploitation by commodity threat actors is likely |
| No official patch | Windows Update provides no protection |
| BitLocker bypass | Physical theft scenarios become far more dangerous |
| CTFMON LPE | Elevates impact of any existing foothold on a system |
Compensating Controls
While Microsoft develops and releases official patches, organizations should implement the following mitigations:
For BitLocker (YellowKey)
- Enforce pre-boot authentication: Configure BitLocker with a PIN or startup key in addition to TPM, reducing the effectiveness of bypass techniques that rely on TPM-only configurations
- Enable BitLocker Network Unlock carefully: Ensure network unlock is restricted to trusted networks only
- Monitor BitLocker events: Alert on Event ID 24577 (BitLocker volume unlocked) from unexpected systems or at unexpected times
- Physical security: Reinforce physical access controls for sensitive devices — lock devices, track location of laptops, and use cable locks in shared environments
# Check BitLocker status and protectors on all volumes
Get-BitLockerVolume | Select-Object MountPoint, ProtectionStatus, KeyProtectorFor CTFMON (GreenPlasma)
- Restrict CTFMON if not required: In enterprise environments where handwriting, IME, and speech recognition are not used, CTFMON can be disabled:
# Disable CTFMON autostart (evaluate impact before deploying widely) reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CTFMON.EXE" /f - Deploy application control policies: Use Windows Defender Application Control (WDAC) or AppLocker to restrict which processes can interact with CTFMON
- Monitor for LPE indicators: Alert on unexpected privilege escalation events in Windows Security logs (Event ID 4672 — Special Privileges Assigned)
- Limit local user rights: Apply the principle of least privilege rigorously — reduce the impact of LPE by ensuring standard user accounts cannot perform sensitive operations even after escalation
General
- Monitor Microsoft Security Response Center (MSRC) for patch releases
- Subscribe to CISA KEV alerts — if these vulnerabilities are added to the Known Exploited Vulnerabilities catalog, federal agencies will have mandatory remediation deadlines
- Deploy EDR with behavioral detection to identify exploitation attempts even without signature-based coverage
- Enable Microsoft Defender Attack Surface Reduction (ASR) rules to reduce the blast radius of exploitation
What to Watch For
Organizations should monitor for a Microsoft security advisory and out-of-band patch release. Given the public availability of PoC code, Microsoft will likely prioritize these vulnerabilities for rapid patching — potentially through an emergency out-of-band release rather than waiting for the next Patch Tuesday cycle.
Watch the following channels:
- Microsoft Security Response Center
- CISA Known Exploited Vulnerabilities
- Security vendor threat intelligence feeds