Security researchers have publicly released proof-of-concept exploits for two unpatched Windows vulnerabilities, one capable of bypassing BitLocker protections and another enabling local privilege escalation to the system level. The more alarming flaw, nicknamed YellowKey, abuses the Windows Recovery Environment to access encrypted drives under certain conditions without needing the BitLocker recovery key.
For years, BitLocker has been treated as one of Windows’ strongest safety nets. Lose your laptop? Your files stay encrypted. Device stolen? The data remains locked behind hardware-backed protection. It’s the kind of security feature most people rarely think about, because they assume it simply works.
That assumption is now being tested. Security researchers have disclosed a new Windows zero-day called YellowKey, a BitLocker bypass that targets the Windows Recovery Environment (WinRE). But what makes the vulnerability unsettling isn’t that it breaks encryption directly, it doesn’t. Instead, it exploits the trust and convenience built around how Windows handles recovery and startup processes.
And sometimes, that’s enough. The attack reportedly works by booting a targeted system into the recovery environment using specially crafted files placed on a USB drive. Under specific configurations, the system can expose an elevated recovery shell while the encrypted drive is already mounted and accessible.
In practical terms, that means an attacker with physical access to the machine may be able to reach protected files without ever knowing the BitLocker recovery key.
Importantly, this is not a remote attack. The exploit still requires hands-on access to the device, along with the ability to boot into the Windows Recovery Environment. Systems with stricter boot protections, such as properly configured Secure Boot policies, disabled external boot options, or stronger pre-boot authentication, are significantly harder to target.
But many devices don’t use those additional protections.
Researchers believe systems relying on TPM-only BitLocker protection are at the highest risk. That’s because TPM-based setups are designed for convenience: the machine verifies itself during startup and unlocks the drive automatically.YellowKey appears to exploit that exact moment, where the system trusts the hardware before the user has actually proven identity. Configurations using TPM+PIN or other forms of pre-boot authentication are considered far more resistant.
And YellowKey wasn’t released alone. A second vulnerability, dubbed GreenPlasma, targets Windows’ CTFMON component and enables local privilege escalation to the system level, the highest privilege tier in Windows. Unlike YellowKey, GreenPlasma still requires initial access or code execution on the machine first. But once triggered, it could allow attackers to move from limited access to near-total control over the system.
Individually, both vulnerabilities are dangerous. Together, they begin to look like parts of a much larger attack chain.
What makes this situation even more uncomfortable is how the vulnerabilities became public. The researcher behind the disclosures, using the aliases Chaotic Eclipse and Nightmare Eclipse, reportedly released proof-of-concept exploit code after expressing frustration with Microsoft’s vulnerability response process.
And in cybersecurity, public exploit code changes the timeline immediately.
Even without confirmed widespread attacks in the wild so far, public proof-of-concept releases dramatically reduce the barrier to experimentation. Researchers begin testing defenses. Security teams rush to validate mitigations. And attackers start studying the same code almost instantly.
Microsoft has acknowledged the reports and is currently investigating, but no official patch has been released yet. In the meantime, security experts are urging organizations to strengthen BitLocker configurations by enabling TPM+PIN authentication, tightening Secure Boot policies, disabling unauthorized external boot options where possible, and treating physical device access as part of the security boundary itself.
Because that’s the uncomfortable reality behind YellowKey.
BitLocker was designed to protect systems precisely in moments when devices fall into the wrong hands. But YellowKey doesn’t attack the encryption mathematically. It attacks the assumptions surrounding when and how the system decides to trust itself.
And sometimes, the weakest point in security isn’t the algorithm. It’s the moment convenience quietly becomes trust.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
