A recent public disclosure of two critical unpatched Windows vulnerabilities named YellowKey and GreenPlasma highlights a significant threat to BitLocker-encrypted data through the Windows Recovery Environment. These zero-day exploits grant unauthorized access to encrypted drives and elevated permissions, underscoring gaps in current Microsoft protections and Windows boot process security.

  • BitLocker bypass affects systems using Windows Recovery Environment, including Windows 11 and Windows Server editions.
  • Exploits use NTFS transaction manipulation and crafted files to trigger unauthorized shell access during recovery.
  • Recommended mitigations include enforcing BitLocker PINs, BIOS passwords, and monitoring recovery environment use.

Threat signal

The YellowKey vulnerability allows attackers to bypass BitLocker encryption by exploiting how Windows Recovery Environment (WinRE) processes certain NTFS transaction logs and custom files placed on USB drives or EFI partitions. This essentially opens a backdoor to encrypted drives without requiring the BitLocker key, exposing sensitive data to unauthorized access during recovery operations.

Alongside YellowKey, the GreenPlasma vulnerability provides a method for privilege escalation, potentially allowing attackers to gain administrative control once initial access is established. These vulnerabilities impact prevalent Windows versions including Windows 11 and Windows Server 2022/2025, raising systemic risks across diverse enterprise environments worldwide.

Operator exposure

Systems with BitLocker configured for TPM-only unlock modes are primarily vulnerable, as these modes allow transparent disk decryption at boot. Attackers can leverage the YellowKey exploit to obtain a command shell with unrestricted access during WinRE without triggering authentication mechanisms. Although TPM+PIN configurations provide improved protection, the researcher notes the core vulnerability remains exploitable, signaling broader security concerns.

Organizations relying on BitLocker for endpoint encryption must recognize that attacks exploiting recovery environments bypass traditional disk encryption safeguards. Recovery partitions and attached USB devices are potential attack vectors, emphasizing the need to secure component-level integrity of the boot and recovery processes in addition to endpoint encryption policies.

What teams should watch

Security and IT operations teams should prioritize enforcement of BitLocker PINs and BIOS/UEFI firmware passwords to reduce risk exposure, as these raise the barrier against recovery environment tampering. Monitoring and controlling physical access to devices and boot media is critical due to the exploitation method relying on USB or EFI partition modifications.

Teams responsible for patch management and vulnerability response need to watch for official Microsoft updates addressing these flaws and prepare for rapid deployment once available. In the meantime, auditing recovery environment configurations and access logs can help detect abnormal usage patterns that may indicate attempts to exploit these vulnerabilities.

Source assisted: This briefing began from a discovered source item from BleepingComputer Security. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings

AI Runtime Security Gaps Challenge Enterprise Risk Posture Microsoft and Palo Alto Networks Leverage AI to Uncover Numerous Software Vulnerabilities Global Cybersecurity Alert: Most Remediation Programs Fail to Confirm Fixes Eliminate Risk