YellowKey BitLocker Bypass And GreenPlasma Exploit Surface For Windows 11

Two new Windows-focused exploits called YellowKey and GreenPlasma have reportedly been released online by GitHub user Nightmare-Eclipse, as Neowin writes. The proof-of-concept exploits target BitLocker protections and Windows privilege escalation mechanisms on modern Microsoft operating systems.

The release comes just days after another BitLocker bypass tool surfaced publicly, increasing attention around Windows security and recovery environments.

YellowKey reportedly bypasses BitLocker protections

YellowKey allegedly targets BitLocker on Windows 11, Windows Server 2022, and Windows Server 2025. According to the published claims, Windows 10 does not appear affected by the exploit.

The attack reportedly requires physical access to the device, a USB flash drive, and a reboot into the Windows Recovery Environment, also known as WinRE. Researchers claim the exploit can expose unrestricted access to BitLocker-protected volumes after the attack succeeds.

Nightmare-Eclipse speculated that the vulnerable component “feels like a backdoor,” although no evidence currently supports claims of intentional behavior by Microsoft. At the moment, the allegation remains speculation rather than a confirmed finding.

The researcher also claims the suspicious component exists only inside the WinRE image and includes functionality not present in similarly named components found in standard Windows environments.

GreenPlasma focuses on privilege escalation

The second exploit, GreenPlasma, reportedly targets Windows privilege escalation through the Collaborative Translation Framework, commonly referred to as CTF.

According to the claims, attackers could potentially use the exploit to gain elevated privileges, steal data, or damage systems after compromising a machine. The current proof-of-concept reportedly does not provide full SYSTEM shell access, but the researcher warned that more advanced attackers could potentially expand the exploit further.

Security researchers often view privilege escalation flaws as highly dangerous because attackers frequently use them during malware infections and ransomware attacks to deepen system access and bypass security restrictions.

Researchers see greater long-term risk in GreenPlasma

Although YellowKey requires physical access, GreenPlasma may ultimately pose the bigger practical threat if attackers continue refining the exploit.

Privilege escalation vulnerabilities commonly play a major role in post-exploitation activity, especially in ransomware campaigns and advanced malware operations. Researchers have also repeatedly criticized parts of the Collaborative Translation Framework over previous security weaknesses and attack surface concerns.

Microsoft has not yet publicly responded to either exploit. The reports arrive shortly after Microsoft released the Windows 11 KB5089549 May 2026 Patch Tuesday update, which fixed more than 130 security vulnerabilities and included BitLocker-related fixes.