On May 14, 2026, the Windows security ecosystem was thrown into chaos. Following a dispute with Microsoft over bug disclosures, a researcher released two devastating zero-day exploits: YellowKey and GreenPlasma.
These aren’t just theoretical risks. The release includes functional code that can bypass BitLocker full-disk encryption and escalate user privileges to the highest level. Because these flaws are currently unpatched, millions of enterprise and government devices running Windows 11 and Windows Server are at immediate risk of physical data theft.
YellowKey: The BitLocker Bypass
The most alarming of the two, YellowKey, targets the Windows Recovery Environment (WinRE). It allows an attacker with physical access to bypass encryption and access a locked drive in just minutes.
- How it Works: The exploit leverages a vulnerability in how WinRE handles specific folder structures. An attacker simply copies a folder named
FsTxto a USB drive or the system’s EFI partition. - The Result: Upon rebooting into recovery mode, the system spawns a command shell with unrestricted access to the supposedly “protected” files.
- Affected Systems: Windows 11, Windows Server 2022, and Windows Server 2025. (Windows 10 is currently unaffected).
GreenPlasma: Escalating to “SYSTEM” Power
While YellowKey breaks the lock on the door, GreenPlasma hands the attacker the keys to the entire house. This local privilege escalation (LPE) flaw targets the Windows CTFMON service.
By creating unauthorized memory sections in restricted directories, an unprivileged user can trick the operating system into executing commands with SYSTEM-level authority. When combined with other attacks, this allows for total, persistent control over the OS kernel and all installed drivers.
Vulnerability Summary Table
| Threat Component | Vulnerability Type | Affected Systems | Key Artifacts |
| YellowKey | Encryption Bypass | Win 11, Server 22/25 | \FsTx directory |
| GreenPlasma | Privilege Escalation | Win 11, Server 22/25 | CTFMON memory sections |
Immediate Defensive Mitigations
Microsoft has not yet released a patch for these zero-days. Until an official fix is available, security experts recommend the following “hardening” steps to reduce the success rate of the current public exploits:
- Require a BitLocker PIN: While the researcher claims the vulnerability can bypass PINs, the current public version of the exploit is significantly hindered if a pre-boot PIN is required.
- Set a BIOS/UEFI Password: Prevent unauthorized users from changing the boot order or accessing the USB ports during the startup phase.
- Physical Security: Since YellowKey requires physical access or a reboot into WinRE, restrict physical access to sensitive hardware and monitor for unauthorized USB insertions.
- Monitor WinRE: Use endpoint security tools to alert on any modifications to the Windows Recovery Environment or the EFI partition.
Conclusion: The Danger of the “Backdoor” Claim
The researcher behind the leak has made the explosive claim that these flaws are “intentionally placed backdoors.” While this remains unverified, the reality is that the code is now public and usable by threat actors globally. Organizations must treat physical device security as a tier-one priority until Microsoft issues an official resolution.
