Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Home/CyberSecurity News/Critical BitLocker Flaw Lets Attackers Access Encrypted Windows Drives
CyberSecurity News

Critical BitLocker Flaw Lets Attackers Access Encrypted Windows Drives

Key Takeaways Two unpatched zero-day vulnerabilities, “YellowKey” and “GreenPlasma,” have been publicly disclosed, impacting Microsoft Windows. YellowKey allows a complete...

Marcus Rodriguez
Marcus Rodriguez
May 14, 2026 3 Min Read
43 0

Key Takeaways

  • Two unpatched zero-day vulnerabilities, “YellowKey” and “GreenPlasma,” have been publicly disclosed, impacting Microsoft Windows.
  • YellowKey allows a complete bypass of BitLocker encryption on specific Windows versions, enabling unauthorized access to encrypted drives.
  • GreenPlasma is a local privilege escalation flaw that could allow attackers to execute arbitrary commands with elevated privileges.
  • The exploits were released by a frustrated researcher following Microsoft’s Patch Tuesday, reportedly due to dissatisfaction with previous vulnerability handling.
  • No official patch is available from Microsoft, leaving millions of enterprise and government devices vulnerable.

Two critical, unpatched zero-day vulnerabilities affecting Microsoft’s Windows ecosystem have been publicly disclosed, posing a significant threat to encrypted data and system integrity. These exploits, dubbed “YellowKey” and “GreenPlasma,” bypass BitLocker encryption and enable privilege escalation, respectively.

Table Of Content

  • Key Takeaways
  • YellowKey BitLocker Bypass
  • GreenPlasma Privilege Escalation
  • What You Should Do

The disclosures come from a researcher who, following Microsoft’s recent Patch Tuesday, escalated an ongoing dispute by releasing the severe exploits. The researcher expressed profound dissatisfaction with how Microsoft handled prior vulnerability disclosures, releasing the code as a direct act of retaliation and threatening further disruptions.

Millions of enterprise and government devices are now vulnerable due to this unexpected release. The researcher also controversially claims these vulnerabilities are “intentionally placed backdoors,” even attributing them to internal Microsoft threat groups like MSTIC and GHOST in an unusual public statement.

YellowKey BitLocker Bypass

YellowKey represents a critical bypass that allows threat actors with physical access to completely circumvent BitLocker full-disk encryption in a matter of minutes. This vulnerability is rooted in the Windows Recovery Environment (WinRE) and specifically affects Windows 11, Windows Server 2022, and Windows Server 2025.

Windows 10 installations remain unaffected due to fundamental differences in its recovery architecture. To execute the exploit, attackers only need to copy a specially named FsTx folder onto a compatible USB stick and insert it into the target machine.

Alternatively, attackers can physically remove the target drive, copy the exploit files directly into the EFI partition, and then remount the drive to achieve the same bypass. By rebooting the system into the recovery agent using specific key combinations, the exploit leverages WinRE components to spawn a shell, granting unrestricted access to the protected volume.

GreenPlasma Privilege Escalation

In addition to the BitLocker bypass, the researcher also released partial proof-of-concept code for GreenPlasma, a severe local privilege escalation vulnerability. This flaw specifically exploits the Windows CTFMON service through the arbitrary creation of memory sections.

An attacker operating with unprivileged access can create these memory-section objects within directory structures typically writable only by the administrative SYSTEM account. This manipulation allows malicious actors to coerce trusted Windows services and kernel-mode drivers into executing unauthorized commands.

While the publicly available code currently triggers a User Account Control prompt and would require further development for a completely silent attack, it nonetheless presents a substantial challenge for security defenders. If fully chained with initial access vectors, GreenPlasma could provide persistent, full access to the core of the operating system.

What You Should Do

  • Implement Strong BitLocker PINs and BIOS Passwords: While the public PoC doesn’t yet bypass TPM and PINs, a custom BitLocker PIN combined with a robust BIOS password can add layers of defense against YellowKey.
  • Restrict Physical Access: Maintain strict physical security controls over all affected Windows 11 and Server 2022/2025 endpoints to prevent attackers from inserting USB devices or directly manipulating drives.
  • Monitor WinRE Modifications: Actively monitor and restrict unauthorized modifications to the Windows Recovery Environment (WinRE) until official patches are released.
  • Stay Informed: Monitor official Microsoft channels for security advisories and patches related to these vulnerabilities.
  • Review Least Privilege Principles: Ensure that all users and applications operate with the absolute minimum necessary privileges to mitigate the impact of privilege escalation vulnerabilities like GreenPlasma.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerPatchSecurityThreatVulnerabilityzero-day

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

SOCs and MSSPs Combat Phishing Attacks Email Filters Miss

Next Post

Gentlemen RaaS Exploits Fortinet, Cisco Edge Devices for Initial Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us