The disclosed vulnerabilities include YellowKey, which bypasses BitLocker encryption by exploiting a hidden component in the Windows Recovery Environment (WinRE). This exploit requires physical access and involves rebooting into WinRE and triggering a command prompt that grants access to the protected volume. YellowKey also reportedly works against devices protected with a TPM PIN, though success depends on WinRE implementation. The second vulnerability, GreenPlasma, allows arbitrary memory section creation in directories writable by System, potentially enabling privilege escalation to System level. The researcher released proof-of-concept code for both exploits, with GreenPlasma's PoC missing full System shell capabilities. These vulnerabilities affect Windows 11 and have been independently verified by multiple security researchers.

YellowKey enables attackers with physical access to bypass BitLocker encryption, potentially exposing protected data on encrypted drives. This undermines the security guarantees of BitLocker, including those relying on TPM hardware. GreenPlasma allows attackers to escalate privileges to System level, which could enable disabling security protections, manipulating trusted processes, deploying malware, or lateral movement within an environment. The public release of proof-of-concept code increases the risk of these vulnerabilities being weaponized. There are no known exploits in the wild at the time of disclosure.

No official patch or remediation guidance from Microsoft is available at this time. Organizations should monitor for updates from Microsoft and apply patches promptly once released. Given that YellowKey requires physical access, physical security controls remain important. Until a fix is available, restricting physical access to devices and using additional security layers may reduce risk. The vendor advisory status is unknown; check Microsoft’s official channels for current remediation guidance.