Two serious, still-unpatched Windows zero-days: YellowKey and GreenPlasmahave had public proof-of-concept (PoC) exploit code available since May 13, increasing the risk of real-world attacks. Microsoft has now released official mitigation guidance, but a full security update is not yet available.
---
What the vulnerabilities are
YellowKey
- Impact: Bypasses BitLocker disk encryption
- Affected systems:
- Windows 11
- Windows Server 2022
- Windows Server 2025
- Requirements: Attacker needs physical or local access to the target machine
- Risk: An attacker with hands-on access could potentially access data that should be protected by BitLocker, undermining one of the core defenses for lost or stolen devices.
GreenPlasma (overview)
- Impact: Local privilege escalation to SYSTEM
- Requirements: Local access and the ability to run code on the system
- Risk: Lets an attacker who already has a foothold (e.g., via malware or a low-privilege account) gain full control of the system, disable security tools, and move laterally.
Both vulnerabilities are zero-days with public PoC code, meaning attackers have everything they need to start experimenting with and weaponizing these issues even before a full patch is available.
---
What you should do right now
1. Apply Microsoft’s WinRE mitigation guidance
Microsoft has published Windows Recovery Environment (WinRE) mitigations that you should apply immediately, especially on:
- Laptops and mobile devices that leave secure facilities
- Systems storing sensitive or regulated data
- Any environment with a high risk of physical access attacks (e.g., shared offices, co-working spaces, field devices)
Follow Microsoft’s official WinRE mitigation steps for your specific Windows and Windows Server versions. These mitigations are currently the primary line of defense until a full patch is released.
2. Prepare for Patch Tuesday (June 9)
Microsoft’s June 9 Patch Tuesday is the most likely window for a comprehensive fix.
Action items:
- Plan maintenance windows now so you can deploy updates quickly once they are released.
- Test patches rapidly in a staging environment, but avoid long delays before production rollout.
- Ensure your endpoint management (Intune, Configuration Manager, or other tools) is ready to push updates at scale.
---
Additional hardening steps
While waiting for full patches, consider:
- Restricting physical access to sensitive systems (locked rooms, secure cabinets, cable locks for laptops).
- Enforcing strong boot security:
- Enable Secure Boot where supported.
- Require BIOS/UEFI passwords on high-value systems.
- Monitoring for suspicious local activity:
- Unusual use of recovery environments
- Unexpected privilege escalations or service modifications
These measures do not replace Microsoft’s mitigations but can reduce the practical attack surface.
---
Summary
- YellowKey: BitLocker bypass on Windows 11 and Windows Server 2022/2025, requires physical/local access.
- GreenPlasma: Local privilege escalation to SYSTEM.
- Status: No full patch yet; PoC code has been public since May 13.
- Action: Apply Microsoft’s WinRE mitigation guidance now and be ready to deploy the expected fixes on June 9 Patch Tuesday as soon as they become available.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you have questions about Windows hardening or BitLocker in high-risk environments.