3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
New vulnerabilities released on Patch Tuesday target BitLocker encryption and system privileges on Windows 11 and Server 2025.
GitHub user Nightmare-Eclipse has just published two new vulnerabilities called YellowKey and GreenPlasma that affect Windows 11 systems. They were both released on May 12, the same day that Microsoft published its Patch Tuesday updates, creating a big headache for the Redmond giant.
The first of the two exploits, YellowKey, is a bypass vulnerability affecting BitLocker only on Windows 11. According to the Nightmare-Eclipse, YellowKey feels like a backdoor put in by Microsoft that could allow law enforcement to get past the encryption, but this is an unproven allegation at this point.
YellowKey relies on an actor copying the published FsTx folder to a USB stick, plugging the stick into a target Windows computer that has BitLocker switched on, and then rebooting into the Windows Recovery Environment Agent while holding down a series of keys. If you do everything properly, it brings up a shell that has unrestricted access to the BitLocker-protected volume.
Explaining why they think that this is a backdoor, Nightmare-Eclipse says:
“Now why would I say this is a backdoor ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why ? I just can't come up with an explanation besides the fact that this was intentional.”
It’s noted that this vulnerability only affects Windows 11, Windows Server 2022, and Windows Server 2025, but Windows 10 is not affected.
The second of the exploits is called GreenPlasma, which can give an attacker elevated privileges, allowing them to damage systems or steal data. Luckily, the proof of concept code published will not give an attacker full SYSTEM shell access. Unluckily, a “smart” person can turn this into a full privilege escalation that could pose a risk to the public.
The proof of concept creates an arbitrary memory section object in any directory object write-able by SYSTEM, leveraging the Collaborative Translation Framework (CTF) which is known to be insecure and has been at the center of previous vulnerabilities.
It’s unclear how Microsoft will react to this news, hopefully it can get things quickly patched up and push a fix sooner than next month’s Patch Tuesday so that users don’t get harmed. You can bet that malicious actors will use these exploits, especially GreenPlasma, to do harm to the public.
Hope you enjoyed this news post. Feedback welcome.
Posted Thursday 14 May 2026 at 4:26 pm AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.