Windows BitLocker 0-Day Lets Hackers Access Encrypted Drives

Two newly disclosed, unpatched Windows BitLocker zero-day vulnerabilities are posing a serious threat to Microsoft’s security ecosystem. The exploits, referred to as YellowKey and GreenPlasma, include a full encryption bypass and a privilege escalation flaw, respectively.

The most dangerous of the pair, YellowKey, allows attackers to completely circumvent BitLocker encryption and gain unrestricted access to locked system drives. This disclosure came shortly after Microsoft’s latest Patch Tuesday, when a frustrated researcher released the code in an escalating dispute over the company’s handling of prior vulnerability reports.

The researcher expressed deep dissatisfaction with Microsoft’s response to earlier disclosures, threatening further disruption and releasing the exploit code as a direct act of retaliation. This unexpected move leaves millions of enterprise and government devices exposed to attack. In a highly unusual public display, the researcher also claimed these vulnerabilities are intentional backdoors, even crediting internal Microsoft threat groups like MSTIC and GHOST.

YellowKey BitLocker Bypass

YellowKey is a critical exploit that enables threat actors with physical access to bypass BitLocker full-disk encryption in a matter of minutes. The vulnerability resides within the Windows Recovery Environment (WinRE) and exclusively impacts Windows 11, Windows Server 2022, and Windows Server 2025. Windows 10 remains unaffected due to structural differences in its recovery architecture.

Attackers only need to copy a specifically named FsTx folder onto a compatible USB stick and plug it into the target machine. Alternatively, they can physically extract the target drive, copy the exploit files directly into the EFI partition, and remount the drive to achieve the same result. By rebooting the system into the recovery agent using specific key combinations, the exploit leverages WinRE components to spawn a shell with unrestricted access to the protected volume.

GreenPlasma Privilege Escalation

Alongside the encryption bypass, the hacker released partial proof-of-concept code for GreenPlasma, a severe local privilege escalation vulnerability. This flaw exploits the Windows CTFMON service through arbitrary memory section creation. An unprivileged attacker can create these memory-section objects within directory structures that are normally writable only by the administrative SYSTEM account. This allows malicious actors to manipulate trusted Windows services and kernel-mode drivers into executing unauthorized commands.

While the current public code triggers a User Account Control prompt and requires additional weaponization to achieve a completely silent attack, it poses a substantial challenge for security defenders. If fully chained with initial access vectors, it could allow persistent, full access to the core of the operating system.

Microsoft has not yet issued an official patch for these freshly dropped zero-day exploits. Independent security researchers analyzing the YellowKey threat strongly recommend implementing a custom BitLocker PIN and a robust BIOS password as immediate defensive mitigations. While the researcher known as Nightmare-Eclipse claims the core vulnerability bypasses TPM and PIN configurations, the public proof-of-concept currently lacks that execution capability.

Security teams should actively monitor physical access to hardware endpoints and restrict unauthorized WinRE modifications until Microsoft officially resolves the situation.