Overview
- Security researcher Chaotic Eclipse released public proof-of-concept code for YellowKey and GreenPlasma, with GreenPlasma targeting the CTFMon component to help a local user gain system-level access.
- YellowKey places crafted files on a USB drive and uses Windows Recovery to remove a startup file so the system opens a command prompt with the BitLocker drive already unlocked.
- Tom’s Hardware reproduced the USB method, and researchers Kevin Beaumont and Will Dormann validated core behavior, while Forbes reported the code was used in attacks within 24 hours of publication.
- Testing indicates the bypass affects Windows 11 and Windows Server 2022 and 2025, works only on the same PC where the TPM holds the keys, and Dormann says a BitLocker PIN blocks the current proof-of-concept.
- Microsoft said it is investigating with no fixes yet, and experts advise near-term steps such as disabling USB or external boot, using BIOS passwords, enforcing BitLocker PINs, and tightening physical access.