Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives

TL;DR

Two unpatched Windows BitLocker zero-day vulnerabilities—YellowKey and GreenPlasma—have been publicly disclosed, enabling attackers to bypass full-disk encryption and escalate privileges on fully patched Windows systems. This matters right now because Microsoft has not yet issued a fix, leaving millions of enterprise and government devices exposed to potential data theft.

What Happened

On Friday, May 15, 2026, cybersecurity researchers published details of two critical zero-day vulnerabilities in Microsoft's BitLocker encryption system. The most severe, dubbed YellowKey, allows an attacker with physical access to a Windows device to completely bypass BitLocker's full-disk encryption and read encrypted data without a recovery key. A second flaw, GreenPlasma, provides a privilege escalation vector that can elevate an attacker from limited user access to SYSTEM level, enabling deeper compromise of the operating system.

Key Facts

• YellowKey is a BitLocker encryption bypass vulnerability that grants unauthenticated read access to encrypted drives on Windows 10, Windows 11, and Windows Server 2022 systems.
• GreenPlasma is a privilege escalation flaw that leverages a Windows kernel component to elevate attacker privileges from a standard user to SYSTEM level, bypassing User Account Control.
• Both vulnerabilities were disclosed by researchers at Zero Dynamics Security on May 15, 2026, with proof-of-concept exploit code published on GitHub.
• Microsoft has been notified of the flaws but has not yet released a security patch, and the company's next scheduled Patch Tuesday is June 9, 2026.
• The vulnerabilities affect all supported versions of Windows that include BitLocker, estimated to be active on over 800 million devices worldwide.
• Enterprise environments are particularly at risk because BitLocker is the default encryption solution for Windows Pro, Enterprise, and Education editions, and is mandated by many compliance frameworks.
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive urging federal agencies to implement mitigation measures within 72 hours.

Breaking It Down

The YellowKey vulnerability represents a fundamental break in the trust model that underpins BitLocker's security. BitLocker has long been marketed as a "gold standard" for full-disk encryption, used by governments, financial institutions, and healthcare organizations to protect sensitive data on lost or stolen devices. The flaw exploits how BitLocker handles the Pre-Boot Authentication (PBA) phase—specifically, the way it validates the Trusted Platform Module (TPM) measurements during the boot process. By manipulating the TPM's Platform Configuration Registers (PCRs) through a physical attack vector, an attacker can force BitLocker to decrypt the drive without ever providing a password or recovery key.

Over 800 million Windows devices rely on BitLocker for full-disk encryption, and this vulnerability renders that protection effectively useless for any device an attacker can physically access. The attack requires only a few minutes of physical access, a USB drive with custom firmware, and no specialized hardware beyond a standard laptop. Once exploited, the attacker gains complete read access to all files on the encrypted drive, including encrypted credentials, database files, and sensitive documents.

The GreenPlasma privilege escalation flaw compounds the danger significantly. While YellowKey provides read access to encrypted data, GreenPlasma allows an attacker who already has limited user access (perhaps obtained through phishing or a separate vulnerability) to escalate to SYSTEM privileges. This means that even in scenarios where BitLocker remains intact, an attacker who gains initial foothold through a separate vector can use GreenPlasma to install persistent backdoors, disable security software, or pivot to other systems on the network. The combination of both vulnerabilities creates a particularly dangerous attack chain: an attacker could first use YellowKey to extract credentials from an encrypted drive, then use those credentials to gain initial access, and finally use GreenPlasma to achieve full system compromise.

The timing of the disclosure is especially problematic. Microsoft's last Patch Tuesday was April 14, 2026, and the company has not issued an out-of-band security update despite the severity of the flaws. The next scheduled Patch Tuesday is June 9, 2026, leaving a potential 25-day window where systems remain vulnerable. For organizations that cannot immediately apply mitigations, this gap represents a significant operational risk.

What Comes Next

1. Microsoft's response timeline: The company is expected to issue an emergency security advisory within the next 7 days (by May 22, 2026), but a full patch may not arrive until the June 9 Patch Tuesday. Organizations should monitor the Microsoft Security Response Center (MSRC) for interim guidance.

2. CISA and government action: CISA's emergency directive will be followed by Binding Operational Directive (BOD) 26-02 expected within 10 days, which may mandate specific mitigations for federal agencies, including disabling BitLocker's TPM-only authentication and enabling additional PIN or USB key protection.

3. Exploit weaponization: Proof-of-concept code is already circulating on GitHub and underground forums. Security researchers at Mandiant and CrowdStrike have reported early signs of threat actors incorporating YellowKey into their toolkits, with active exploitation likely within 2–3 weeks.

4. Enterprise mitigation rollout: Organizations will need to implement emergency workarounds, including enforcing Group Policy settings that require a startup PIN or USB key for BitLocker, and deploying Microsoft Defender for Endpoint detection rules for the specific attack patterns.

The Bigger Picture

This incident highlights a growing crisis in trusted platform security. For years, hardware-based encryption solutions like BitLocker, Apple's FileVault, and Linux's LUKS have been considered virtually unbreakable without the decryption key. The YellowKey vulnerability demonstrates that the Trusted Platform Module (TPM), once seen as a silver bullet for boot-time integrity, has its own attack surface that can be exploited with relatively modest resources. This trend is accelerating: in 2025 alone, researchers disclosed 17 TPM-related vulnerabilities, a 240% increase from 2023.

The broader implication is for compliance frameworks that mandate full-disk encryption. Regulations such as HIPAA, GDPR, PCI DSS, and the Federal Information Security Management Act (FISMA) have long treated BitLocker as a compliant solution for protecting data at rest. If the YellowKey vulnerability remains unpatched for weeks, organizations may find themselves in the uncomfortable position of being "compliant" on paper while their encrypted drives are actually readable by attackers. This could trigger a wave of regulatory reassessments and force a shift toward post-quantum encryption and multi-factor authentication at the boot level.

Key Takeaways

• [Critical Severity]: Two unpatched BitLocker zero-days—YellowKey (encryption bypass) and GreenPlasma (privilege escalation)—expose over 800 million Windows devices to data theft and full system compromise.
• [Physical Access Required]: YellowKey requires physical access to the device, but GreenPlasma can be exploited remotely once initial access is gained, creating a potent attack chain.
• [No Patch Available]: Microsoft has not released a fix; the next scheduled Patch Tuesday is June 9, 2026, leaving a 25-day exposure window for most organizations.
• [Mitigation Urgency]: Enterprises should immediately enforce BitLocker startup PIN requirements, disable TPM-only authentication, and monitor for CISA's upcoming binding operational directive.