By Linda Park, Tech Editor | May 18, 2026 | San Francisco, USA

Two Unpatched Windows Exploits Expose BitLocker and SYSTEM Access—What You Need to Know

Security researchers have published proof-of-concept (PoC) exploit code for two critical, unpatched vulnerabilities in Windows, one of which can bypass BitLocker encryption to expose encrypted drives and another that escalates local privileges to SYSTEM level. The flaws affect Windows 11 and Windows Server 2022/2025, raising urgent concerns for organizations relying on Microsoft’s disk encryption for sensitive data protection.

Named YellowKey and GreenPlasma, the exploits were disclosed by researchers using the monikers Chaotic Eclipse and Nightmare Eclipse. While Microsoft has not yet issued patches, the public release of these techniques heightens the risk of targeted attacks against unprotected systems. Experts warn that the most immediate danger lies with devices using TPM-only BitLocker configurations, where automatic decryption during startup creates a window for exploitation.

This article explains how the exploits work, which systems are at risk and what steps organizations and individual users can take to mitigate exposure—while awaiting an official patch from Microsoft.

How the Exploits Work: Breaking BitLocker and SYSTEM Protections

The two vulnerabilities operate in distinct but equally dangerous ways:

1. YellowKey: The BitLocker Bypass

YellowKey leverages a flaw in Windows Recovery Environment (WinRE), the diagnostic mode used to troubleshoot boot failures. By placing crafted FsTx files on removable media, attackers can trigger a command shell during the recovery process—before BitLocker prompts for authentication. This allows access to the encrypted drive while it remains unlocked, effectively bypassing TPM-only protection.

Researchers confirm the exploit works on recent Windows 11 builds, though not all variants have been tested. The risk is most acute for devices configured with TPM-only BitLocker, which automatically decrypts the OS drive at startup for convenience. Microsoft’s own documentation acknowledges this trade-off, stating that pre-boot authentication (such as PINs or keys) is recommended for higher-risk environments. However, the researcher claims a separate TPM+PIN bypass path exists that has not been fully disclosed, leaving defenders with incomplete mitigation options.

“The convenience of TPM-only BitLocker makes recovery-time abuse dangerous: the device can decrypt itself before a user proves identity.”

—Bitdefender Hot for Security, May 2026

2. GreenPlasma: Privilege Escalation to SYSTEM

The second exploit, GreenPlasma, targets Windows’ CTFMON component, a trusted process that handles text services. While the PoC is not yet complete, early demonstrations show how an unprivileged user could create arbitrary memory-section objects in locations trusted by privileged components. This could turn an initial foothold into full machine compromise, a common tactic in ransomware and malware campaigns.

Unlike YellowKey, GreenPlasma does not rely on boot-time behaviors but instead exploits memory management flaws. Its successful execution would grant attackers SYSTEM-level privileges, allowing them to install malware, modify system files, or exfiltrate data without detection.

Who Is at Risk? Windows 11 and Server 2022/2025 Users

The exploits affect:

• Windows 11 (all recent builds, with confirmed success on TPM-only configurations).
• Windows Server 2022/2025, particularly in enterprise environments where BitLocker is used to protect sensitive data.
• Devices using TPM-only BitLocker (without additional pre-boot authentication like PINs or keys).
• Systems with removable media (USB drives, external disks) that could be used to deliver the exploit payload.

Organizations using Microsoft Azure or Intune for device management may face broader exposure if unpatched systems are connected to corporate networks. The exploits could enable lateral movement by attackers who gain initial access through phishing or other vectors.

What Can You Do? Immediate Actions While Awaiting a Patch

Microsoft has not yet released a patch for these vulnerabilities. In the meantime, security experts recommend the following measures:

For Organizations:

• Disable TPM-only BitLocker on high-risk devices and enforce pre-boot authentication (PINs, keys, or certificates) as a secondary protector.
• Restrict removable media access to prevent exploit delivery via USB drives or external disks.
• Monitor for suspicious WinRE activity using enterprise endpoint detection tools (e.g., Microsoft Defender for Endpoint, CrowdStrike).
• Isolate test systems and analyze the PoC in a controlled environment to assess exposure.

For Individual Users:

• Enable a startup PIN for BitLocker-protected devices, even if you use TPM.
• Avoid plugging unknown USB drives into your computer.
• Update Windows Defender signatures and enable cloud-delivered protection for real-time exploit detection.
• Check Microsoft’s security advisories for official guidance (linked below).

What’s Next? Microsoft’s Response and the Road Ahead

Microsoft has not yet acknowledged these vulnerabilities in its official security advisories. However, the public disclosure of PoC code suggests the company is aware of the risks. Users should:

• Monitor Microsoft’s Security Response Center (MSRC) for patch updates.
• Follow Microsoft Security for emergency guidance.
• Engage with the security research community (e.g., Bitdefender’s Hot for Security) for real-time analysis.

Until a patch is released, organizations should assume these exploits are being weaponized by advanced threat actors. The combination of BitLocker bypass and privilege escalation makes this a high-priority risk for enterprises handling sensitive data.