New Windows BitLocker zero-day exposes encrypted drives, PoC out

A security researcher has released proof-of-concept (PoC) exploits for two unpatched Windows vulnerabilities, dubbed YellowKey and GreenPlasma, that together can bypass BitLocker encryption and escalate system privileges. The disclosure exposes a serious risk for users relying on Microsoft’s full-disk encryption to protect sensitive data.

The YellowKey flaw is a BitLocker bypass that allows an attacker with physical access to a locked device to decrypt the drive and access all stored files without the proper credentials. The GreenPlasma vulnerability is a privilege-escalation bug that enables an attacker to gain SYSTEM-level access after the initial bypass, giving them full control over the compromised machine.

The researcher behind the proof-of-concept code has published working exploit scripts online, raising the urgency for organizations to assess their exposure. While Microsoft has not yet issued a patch, the company is reportedly aware of the issues and investigating mitigations. Until an official fix arrives, security teams must consider alternative protections, such as enabling TPM-based authentication with additional PIN requirements, restricting physical access to devices, and monitoring for unusual boot-time activity.

These vulnerabilities underscore a persistent challenge: even trusted security features like BitLocker can be undermined by low-level flaws in the Windows boot process. For now, the only reliable defense is to assume that encrypted drives are not fully secure until Microsoft deploys a comprehensive update.