Microsoft: Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives

Critical Windows BitLocker Zero-Days Exposed in Researcher Retaliation

A disgruntled security researcher has publicly released two unpatched Windows zero-day vulnerabilities YellowKey and GreenPlasma following a dispute with Microsoft over disclosure handling. The exploits, disclosed shortly after Microsoft’s recent Patch Tuesday, pose severe risks to enterprise and government systems running Windows 11, Server 2022, and Server 2025.

YellowKey: Full BitLocker Encryption Bypass

The more critical flaw, YellowKey, allows attackers with physical access to bypass BitLocker full-disk encryption in minutes. The exploit targets the Windows Recovery Environment (WinRE), requiring only a malicious USB drive or direct manipulation of the EFI partition on the target system. By rebooting into WinRE with specific key combinations, attackers gain unrestricted access to encrypted volumes. Windows 10 remains unaffected due to architectural differences.

GreenPlasma: Local Privilege Escalation

The second exploit, GreenPlasma, enables local privilege escalation by exploiting the Windows CTFMON service through arbitrary memory section creation. While the current proof-of-concept triggers a User Account Control (UAC) prompt, further weaponization could allow attackers to execute unauthorized commands with SYSTEM-level privileges, potentially leading to persistent OS compromise.

Researcher Claims and Microsoft Response

The researcher, who has previously clashed with Microsoft, alleges the vulnerabilities are intentional backdoors, publicly naming internal Microsoft threat groups (MSTIC and GHOST) in an unusual move. Microsoft has yet to release official patches, though security experts recommend custom BitLocker PINs and BIOS passwords as temporary mitigations. While the public proof-of-concept does not bypass TPM or PIN protections, organizations are advised to restrict physical access and monitor WinRE modifications until fixes are issued.

Source: https://cybersecuritynews.com/windows-bitlocker-0-day-vulnerability/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "mic1778732772",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Enterprise and government '
                                              'systems',
                        'industry': 'Software',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Large enterprise',
                        'type': 'Technology company'}],
 'attack_vector': ['Physical access',
                   'Malicious USB drive',
                   'EFI partition manipulation',
                   'Local exploitation'],
 'data_breach': {'data_encryption': 'BitLocker encryption bypassed '
                                    '(YellowKey)'},
 'description': 'A disgruntled security researcher publicly released two '
                'unpatched Windows zero-day vulnerabilities (YellowKey and '
                'GreenPlasma) following a dispute with Microsoft over '
                'disclosure handling. The exploits pose severe risks to '
                'enterprise and government systems running Windows 11, Server '
                '2022, and Server 2025. YellowKey allows attackers with '
                'physical access to bypass BitLocker full-disk encryption, '
                'while GreenPlasma enables local privilege escalation via the '
                'Windows CTFMON service.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'Microsoft due to alleged backdoors and '
                                       'unpatched vulnerabilities',
            'operational_impact': 'Potential unauthorized access to encrypted '
                                  'volumes and SYSTEM-level privilege '
                                  'escalation',
            'systems_affected': ['Windows 11',
                                 'Windows Server 2022',
                                 'Windows Server 2025']},
 'motivation': 'Dispute over disclosure handling with Microsoft',
 'post_incident_analysis': {'root_causes': 'Dispute over vulnerability '
                                           'disclosure handling between '
                                           'researcher and Microsoft'},
 'recommendations': ['Apply custom BitLocker PINs and BIOS passwords as '
                     'temporary mitigations',
                     'Restrict physical access to systems',
                     'Monitor WinRE modifications until official patches are '
                     'released'],
 'references': [{'source': 'Incident description'}],
 'response': {'containment_measures': ['Restrict physical access',
                                       'Monitor WinRE modifications'],
              'remediation_measures': ['Custom BitLocker PINs',
                                       'BIOS passwords']},
 'threat_actor': 'Disgruntled security researcher',
 'title': 'Critical Windows BitLocker Zero-Days Exposed in Researcher '
          'Retaliation',
 'type': ['Zero-day vulnerability',
          'Privilege escalation',
          'Encryption bypass'],
 'vulnerability_exploited': ['YellowKey (BitLocker bypass)',
                             'GreenPlasma (Local privilege escalation)']}