What YellowKey and GreenPlasma Teach Defenders About Endpoint Resilience
What YellowKey and GreenPlasma Teach Defenders About Endpoint Resilience
Publish Date: 2026-06-06 10:44:00
Source Domain: www.cybersecurity-insiders.com
Across the security industry, BitLocker is trusted to protect a device by default. Modern frameworks have adopted this to satisfy requirements for data at rest compliance. Our belief that least privilege principles combined with EDR are enough to contain most post compromise activity. Two novel Windows zero-day vulnerabilities just challenged those assumptions.
As disclosed by researcher Nightmare-Eclipse, the vulnerabilities, dubbed YellowKey and GreenPlasma, can abuse trusted Windows functionality to bypass BitLocker drive encryption and escalate privileges after gaining limited access to a system, all without relying on sophisticated malware or remote exploitation.
With attackers increasingly exploiting the gaps between security features, operational configurations, and default system components, these vulnerabilities serve as a reminder that security teams can’t rely on built-in security features alone to remain resilient. We continue to see the person, regardless of their level, being exploited in the attack chain. Security controls are most effective when paired with operational discipline, layered defenses, and continuous validation against realistic attack scenarios.
YellowKey: The BitLocker Assumption Problem
YellowKey abuses a behavioral trust assumption in the Windows recovery interface to bypass BitLocker protections, giving attackers full access during the pre-boot recovery process with minimal effort required.
Rather than relying on software installation, existing credentials, or network access, all it needs to bypass protections is device access, making any machine with an active USB port and the ability to be rebooted as a potential target. That means any scenario where someone does not have hands on their Windows device could quickly become a data breach. Once BitLocker protections are bypassed, attackers can gain unrestricted access to all sensitive material stored on the device, including corporate documents,…
