A new set of Windows zero-days called YellowKey and GreenPlasma has been publicly disclosed by the same researcher behind BlueHammer and RedSun.

YellowKey is a BitLocker bypass affecting:

  • Windows 11
  • Windows Server 2022
  • Windows Server 2025

The exploit abuses Windows Recovery Environment (WinRE) behavior to access BitLocker-protected drives without credentials on systems using TPM-only protection.

Researchers say the exploit can spawn a command shell with the encrypted drive already unlocked, effectively bypassing BitLocker security protections.

A second exploit called GreenPlasma was also disclosed. This is a local privilege escalation vulnerability that may allow attackers to obtain SYSTEM privileges through arbitrary section creation inside writable SYSTEM directories.

Public PoCs for both vulnerabilities are already available, and independent researchers confirmed the YellowKey exploit works.

The researcher claims Microsoft ignored previous reports and says more exploit releases are planned.

Recommended mitigations for now:

  • use BitLocker with TPM + PIN instead of TPM-only
  • set a BIOS/UEFI password
  • restrict physical access to systems
  • monitor for suspicious WinRE usage

YellowKey PoC: https://github.com/Nightmare-Eclipse/YellowKey GreenPlasma PoC: https://github.com/Nightmare-Eclipse/GreenPlasma Coverage: https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/