Two recently revealed zero-day exploits, dubbed YellowKey and GreenPlasma, highlight significant vulnerabilities in Windows 11’s BitLocker encryption and privilege system, raising urgent concerns for enterprises relying on Microsoft’s built-in security features.
- YellowKey allows BitLocker bypass through Windows Recovery Environment access.
- GreenPlasma enables elevation to System privileges, risking full control over devices.
- Physical device access significantly raises risk despite TPM protections.
Threat signal
The disclosure of YellowKey and GreenPlasma reveals critical flaws in Windows 11’s security architecture. YellowKey exploits a hidden vulnerability to bypass BitLocker’s hardware-backed encryption, a cornerstone for protecting data on lost or stolen devices. This circumvention occurs through manipulated access to the Windows Recovery Environment, circumventing normal encryption protections even when TPM and TPM PIN locks are in place.
Meanwhile, GreenPlasma empowers attackers to escalate privileges to System, the highest level of access on Windows devices. This elevation can enable attackers to disable security controls, modify trusted processes, deploy persistent malware, and use compromised machines as launchpads for broader network infiltration. The public release of proof-of-concept exploits accelerates potential threat development and exploitation by malicious actors.
Operator exposure
Organizations relying on BitLocker for data protection face a heightened risk from attackers with physical device access, undermining assumptions about the security of encrypted volumes. This is particularly relevant for mobile endpoints, shared devices, and environments with less stringent physical security, where attackers can exploit the recovery environment to access data without needing to crack encryption keys.
The possibility of System-level privilege escalation from the GreenPlasma vulnerability expands the attack surface beyond data theft, enabling full device compromise. IT administrators must recognize that current mitigation strategies may not fully prevent attackers from gaining control if physical access is obtained, and that traditional TPM protections can be circumvented depending on Windows recovery implementation.
What teams should watch
Security teams should closely monitor developments around these zero-days and related patches from Microsoft. Until formal mitigations are released, enforcing strict physical access controls remains critical. Endpoint and incident response teams need to validate recovery environment security configurations to limit unauthorized usage and consider additional layers of protection for sensitive devices.
Further, cloud and identity teams should anticipate potential fallout from compromised endpoints that could serve as pivot points into broader networks and cloud environments. Enhanced anomaly detection for privilege escalations and unusual system behaviors will be important to catch early exploit attempts. Coordinated efforts across security operations, endpoint management, and risk teams are essential to reduce exposure from these emerging Windows vulnerabilities.