YellowKey and GreenPlasma: Unpatched Windows Zero-Days That Bypass BitLocker and Grant SYSTEM Access

On May 12, 2026, a security researcher operating under the alias Nightmare-Eclipse published working proof-of-concept exploits for two unpatched Windows vulnerabilities — one that defeats BitLocker drive encryption with nothing more than a USB stick, and another that elevates any standard user to SYSTEM on fully patched Windows 11 machines. Neither vulnerability has a CVE assignment or an official Microsoft patch. For Saudi financial institutions subject to SAMA CSCC and NCA ECC controls on endpoint protection and data-at-rest encryption, these zero-days demand an immediate defensive response.

YellowKey: BitLocker Encryption Defeated Through the Recovery Environment

YellowKey targets a logic flaw in the Windows Recovery Environment (WinRE) — the diagnostic shell that Windows boots into when recovery or repair operations are needed. The exploit abuses a code path where WinRE replays NTFS transaction log data from a folder named FsTx on an attached USB drive. During this replay, WinRE deletes the lock file that normally restricts access to the recovery shell. On the next reboot, the attacker lands in a command prompt where the BitLocker-protected volume is already mounted and fully readable.

The attack requirements are alarmingly low: physical access to the target device and a prepared USB stick. No credentials, no network access, no prior malware installation. BleepingComputer confirmed the exploit works on Windows 11, Windows Server 2022, and Windows Server 2025 — the exact operating systems deployed across most Saudi enterprise environments. For organizations relying on BitLocker as their primary data-at-rest encryption layer, this is a direct threat to regulatory compliance.

GreenPlasma: Standard User to SYSTEM in Seconds

The second zero-day, GreenPlasma, targets ctfmon.exe — the Windows process responsible for text input services that runs with SYSTEM privileges in every interactive session. The exploit sends a crafted ALPC (Advanced Local Procedure Call) message to the MSCTF server, the backend service powering CTFMON, requesting creation of a new memory section in a directory object writable by SYSTEM. By manipulating how shared memory sections are created and managed, an attacker with any local user account can obtain a SYSTEM-privilege command prompt.

BleepingComputer tested GreenPlasma on a fully patched Windows 11 Pro system running the May 2026 Patch Tuesday updates and confirmed that a standard user account successfully escalated to SYSTEM. A subsequent variant, MiniPlasma, was released days later with a smaller footprint and identical results. These exploits are publicly available on GitHub, lowering the barrier to exploitation for any threat actor with local access — including insiders, compromised service accounts, and lateral-movement post-exploitation scenarios.

Why This Matters for Saudi Financial Institutions

SAMA's Cyber Security Common Controls (CSCC) framework mandates encryption of data at rest on all endpoints processing or storing customer financial data. Specifically, CSCC Control 3.3.4 requires that portable devices and removable media employ approved encryption mechanisms. YellowKey directly undermines this control by rendering BitLocker protections ineffective against physical access attacks — a scenario that includes stolen corporate laptops, devices seized during travel, and insider threats with physical access to server rooms.

NCA's Essential Cybersecurity Controls (ECC) framework reinforces these requirements under its Asset Management and Data Protection domains, requiring organizations to implement controls that prevent unauthorized access to sensitive data even when physical security is breached. GreenPlasma compounds the risk: once an attacker has any form of local access — through a phishing payload, a compromised VPN session, or a contractor's workstation — they can escalate to SYSTEM and disable endpoint detection, extract credentials from LSASS, or pivot to domain controllers.

The PDPL (Personal Data Protection Law) dimension adds regulatory exposure. A stolen laptop containing unencrypted customer PII — made accessible by YellowKey — triggers mandatory breach notification obligations under PDPL Article 20 and potential penalties from the SDAIA. For institutions handling millions of customer records, this is not a theoretical risk.

Recommendations and Immediate Actions

1. Enforce pre-boot authentication with TPM + PIN. BitLocker configurations using TPM-only unlock are vulnerable to YellowKey because WinRE can access the volume without user interaction. Adding a pre-boot PIN or startup key creates an authentication barrier that the WinRE replay attack cannot bypass. Deploy this via Group Policy: Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at startup.
2. Disable or restrict WinRE on high-value endpoints. Run reagentc /disable on endpoints where the recovery environment is not operationally required. For endpoints where WinRE must remain enabled, restrict physical USB boot access through BIOS/UEFI settings and enforce Secure Boot with a supervisor password.
3. Deploy application control to block GreenPlasma exploitation. Tools like Windows Defender Application Control (WDAC) or third-party application whitelisting solutions can prevent the unsigned exploit binary from executing. Ensure that your application control policy covers standard user execution paths, not just administrator contexts.
4. Monitor for CTFMON anomalies. Configure your SIEM or EDR to alert on unusual ALPC communications targeting the MSCTF service, unexpected memory section creation by non-SYSTEM processes, and any standard user process spawning cmd.exe or PowerShell with SYSTEM integrity level.
5. Implement physical security controls for endpoints. SAMA CSCC Control 2.2 requires physical access controls for information processing facilities. Conduct an immediate audit of laptop and workstation physical security — enforce Kensington locks for desktops, enable remote wipe for mobile devices, and restrict USB boot capability in UEFI firmware settings.
6. Accelerate patch deployment once Microsoft responds. Monitor Microsoft's Security Response Center (MSRC) for advisories related to YellowKey and GreenPlasma. Given the public availability of PoC exploits, expect weaponization in ransomware toolkits within days. Establish a pre-approved emergency patching window with your change advisory board now.

Conclusion

YellowKey and GreenPlasma represent a worst-case scenario for endpoint security teams: public exploit code, zero patches available, and attack vectors that bypass the two most relied-upon Windows security mechanisms — drive encryption and privilege separation. Saudi financial institutions cannot afford to wait for Microsoft's response. The defensive actions outlined above — pre-boot PIN enforcement, WinRE restriction, application control, and enhanced monitoring — can be deployed today and will materially reduce exposure to both exploits.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and endpoint hardening review tailored to these emerging threats.