YellowKey and GreenPlasma: Two Windows Zero-Days Hit BitLocker

Security researchers have publicly disclosed two unpatched Windows zero-day vulnerabilities, named YellowKey and GreenPlasma, that target BitLocker encryption and the CTFMON input framework respectively. Proof-of-concept exploit code has already been released, meaning the Windows BitLocker zero-day vulnerability is not just theoretical. For the millions of users and organizations relying on BitLocker as a cornerstone of their data protection strategy, this disclosure is a serious wake-up call.

What YellowKey and GreenPlasma Actually Do

YellowKey is the more immediately alarming of the two. It targets BitLocker, the full-disk encryption feature built into Windows 10 and 11 as well as Windows Server 2022 and 2025. By exploiting a weakness in the Windows Recovery Environment, the vulnerability allows an attacker with physical access to a machine to bypass default BitLocker protections and gain access to the contents of an encrypted drive. In practical terms, a stolen laptop that was previously considered secure behind BitLocker encryption could have its data read without the correct PIN or password.

GreenPlasma targets CTFMON, a Windows background process that manages text input, handwriting recognition, and language settings. This vulnerability enables local privilege escalation, meaning an attacker who has already gained a foothold on a system can elevate their permissions to a higher level, potentially achieving administrator or SYSTEM-level access. The two vulnerabilities together represent a dangerous combination: one breaks the wall protecting your data at rest, while the other enables deeper system compromise once an attacker is inside.

At the time of writing, Microsoft has not issued patches for either vulnerability. Proof-of-concept code is publicly available, which significantly lowers the barrier for exploitation by less sophisticated threat actors.

Who Is at Risk and What Data Is Exposed

Anyone running a Windows 11 system or Windows Server 2022 and 2025 with BitLocker enabled is potentially affected by YellowKey. The physical access requirement does limit the attack surface compared to a fully remote exploit, but that qualifier should not provide much comfort. Laptops used by employees in hybrid work environments, devices stored in shared office spaces, and machines seized or inspected at border crossings are all realistic threat scenarios.

For GreenPlasma, the risk profile is broader in some ways. Local privilege escalation vulnerabilities are frequently chained with other attack techniques. A phishing email that delivers a low-privilege initial payload, for example, could be followed by a GreenPlasma exploit to gain full system control. Corporate environments, government agencies, and individuals who handle sensitive files are all in the crosshairs.

The data exposed ranges from personal documents and financial records to corporate intellectual property and credentials stored on disk. Organizations operating under compliance frameworks such as HIPAA, GDPR, or CMMC will need to assess whether these vulnerabilities affect their regulatory obligations.

Why BitLocker Users Cannot Rely on Disk Encryption Alone

The YellowKey disclosure illustrates a fundamental limitation that privacy-conscious users often overlook: encryption protects data only as long as the encryption mechanism itself remains uncompromised. BitLocker was designed to protect against offline attacks, primarily scenarios where a drive is removed and read on another machine. It was not designed to be an impenetrable fortress against a sophisticated attacker armed with a zero-day exploit targeting the very process that manages drive unlocking.

This is the core argument for defense-in-depth. Relying on a single security control, no matter how trusted, creates a single point of failure. When that control is bypassed, there is nothing left standing between an attacker and your data. The same logic applies to network-layer threats: encrypting traffic in transit through a VPN does not protect you if your endpoint has already been compromised, and securing your endpoint does not protect data flowing unencrypted over an untrusted network.

The emergence of these two vulnerabilities also serves as a reminder that threat actors do not always need sophisticated infrastructure to cause serious harm. As documented in campaigns like the fake government sites targeting citizens worldwide, social engineering and commodity tools are frequently combined with publicly available exploits to devastating effect. A public PoC for a BitLocker bypass lowers the skill floor considerably.

Defense-in-Depth Steps: Patching, VPNs, and Layered Security

Until Microsoft releases official patches, users and administrators should take the following steps.

Monitor for Microsoft security updates. Keep Windows Update enabled and check for out-of-band patches, especially given the public availability of PoC code. When patches arrive, prioritize deployment.

Enable BitLocker with a PIN. The default TPM-only BitLocker configuration is more susceptible to this class of attack. Configuring BitLocker to require a pre-boot PIN adds a layer of friction that raises the bar for physical attackers.

Restrict physical access. For high-value machines, physical security controls matter. Locked server rooms, cable locks for laptops, and clear policies about unattended devices all reduce the attack surface for YellowKey.

Layer your security controls. Disk encryption is one layer, not a complete strategy. Combine it with endpoint detection and response tools, network-level encryption for data in transit, strong authentication, and network segmentation. A VPN ensures that even if an attacker pivots from a compromised endpoint, outbound data is not exposed in cleartext on the network.

Audit privileged accounts. Given the GreenPlasma privilege escalation risk, review which accounts have local administrator rights on endpoints. Reducing unnecessary privileges limits the blast radius if an exploit is used.

What This Means For You

The YellowKey and GreenPlasma disclosures are a concrete reminder that no single security tool provides complete protection. If your entire data security strategy rests on BitLocker, now is the time to audit the broader stack. Consider what happens if BitLocker is bypassed: is there another layer protecting your most sensitive files? Is your network traffic encrypted independently of your disk? Are your credentials and recovery keys stored securely?

Proactive steps matter more before an incident than after one. Review your current security controls, apply available mitigations, and treat these disclosures as an opportunity to strengthen the layers that BitLocker alone cannot cover.