Sometime in the days after Microsoft shipped its May 2026 Patch Tuesday update, an anonymous security researcher published working exploit code for two unpatched Windows vulnerabilities. One, called YellowKey, bypasses BitLocker full-disk encryption to expose data that should be unreadable without proper credentials. The other, GreenPlasma, lets any authenticated local user escalate to SYSTEM, the highest privilege level Windows grants. Both arrived with proof-of-concept code anyone with moderate technical skill can run, and as of late May 2026, Microsoft has issued no patch, no advisory, and no public acknowledgment of either flaw.
The timing stings. Microsoft’s May Patch Tuesday addressed dozens of security issues but included no zero-day fixes, meaning there was no patch cycle already in motion to absorb these new disclosures. Any official remediation will likely require either an out-of-band emergency update or a wait until the June Patch Tuesday cycle, leaving a window of exposure that could stretch for weeks.
What YellowKey and GreenPlasma actually do
YellowKey targets BitLocker, the full-disk encryption tool built into Windows Pro and Enterprise editions. BitLocker is designed to protect data at rest, the scenario where a laptop is stolen, seized, or lost. Organizations across healthcare, finance, and government rely on it to satisfy encryption requirements under frameworks like HIPAA (which mandates encryption of electronic protected health information) and PCI-DSS (which requires encryption of stored cardholder data). A working bypass means that access to a machine’s hardware or recovery environment could be enough to read data the owner believed was encrypted. The exact preconditions are still being mapped: it is not yet clear whether YellowKey requires direct physical access, external boot media, or specific TPM or Secure Boot configurations to succeed.
GreenPlasma is a local privilege escalation exploit. On Windows, SYSTEM access means unrestricted control: the ability to install software, modify security policies, dump credentials, and pivot laterally across a network. An attacker who already holds a low-privilege foothold, gained through phishing, a compromised service account, or a shared workstation login, could use GreenPlasma to take full ownership of the host without tripping standard access-control barriers. In environments where users share devices or where local accounts are loosely managed, that kind of escalation can unravel domain-wide defenses quickly. As with YellowKey, the precise Windows versions and configurations vulnerable to GreenPlasma have not been formally cataloged.
The backstory: a pattern of uncoordinated disclosure
This is not the researcher’s first public confrontation with Microsoft. Weeks before the YellowKey and GreenPlasma releases, the same person published exploit details for three separate Microsoft Defender vulnerabilities, again bypassing the standard responsible-disclosure process and releasing code before Microsoft had patches ready. That earlier batch drew significant attention in the security community, both for the severity of the flaws and for the decision to go public without coordinating with the vendor.
The researcher’s motivations have been described in security news coverage as rooted in frustration with Microsoft’s vulnerability-handling timelines. Words like “disgruntled” and “angry” appear in those reports, but they are editorial characterizations, not direct quotes. The researcher has not published a signed blog post, given an interview, or released a formal disclosure timeline explaining the grievances. Their full identity, any institutional affiliation, and their prior history with Microsoft’s Security Response Center all remain unconfirmed. Whether they attempted to use Microsoft’s bug bounty program before going public is also unknown.
That ambiguity matters. Uncoordinated disclosures with working exploit code undeniably raise risk for every Windows user. But they also tend to emerge when researchers perceive, rightly or wrongly, that vendors sit on reported vulnerabilities for too long. Without more transparency from both sides, assigning blame is premature.
What independent sources confirm (and what they don’t)
The strongest piece of evidence is the proof-of-concept code itself. It is publicly accessible, which means defenders and attackers alike can test it against live systems. History shows that when working exploit code is available, the gap between disclosure and active exploitation narrows fast. Reporting from SecurityWeek and other outlets corroborates the timeline, exploit naming, and the connection to the earlier Defender disclosures. However, these stories draw from the same public posts and code repositories that defenders are already reviewing. No major institutional body, not NIST’s National Vulnerability Database, not CISA, has published a severity rating or formal analysis as of late May 2026.
There is also no public evidence that either exploit has been used in real-world attacks yet. The availability of proof-of-concept code raises the probability of weaponization, particularly if criminal groups adapt it into polished toolkits, but confirmed in-the-wild exploitation has not been reported. That could change quickly.
Community reaction has been pointed. One commenter on a Hacker News thread about the disclosures wrote: “I think the Bitlocker ‘vuln’ is a good reminder not to use vendor provided encryption for any sensitive data.” That sentiment, while not expert analysis, reflects a real and growing skepticism about relying on a single vendor-controlled encryption layer for high-value data.
What defenders should do now
Even without a Microsoft advisory, the practical steps are fairly clear. For YellowKey, organizations that treat BitLocker as the sole encryption safeguard for sensitive data should reassess that posture immediately, especially for devices that could be physically lost or seized. Layering additional encryption at the file or application level (using tools like VeraCrypt for secondary volumes or application-native encryption for databases and archives) reduces dependence on any single mechanism. Reviewing TPM and Secure Boot configurations across the fleet is also prudent until the exact preconditions for YellowKey exploitation are better understood.
For GreenPlasma, the standard privilege-escalation mitigations apply with renewed urgency: minimize the number of accounts with interactive logon rights, enforce strict software restriction or application control policies, audit local group memberships, and monitor for unexpected privilege changes or new SYSTEM-level processes. Organizations using endpoint detection and response (EDR) tools should confirm their rulesets can flag the specific behaviors described in the proof-of-concept code.
Individual users and small businesses running Windows 11 Pro with BitLocker enabled should not panic, but they should avoid assuming their drive encryption is bulletproof until Microsoft clarifies the scope. Keeping systems fully updated, enabling Secure Boot, and using a strong BitLocker PIN (rather than relying solely on TPM-only unlock) are reasonable precautions in the interim.
Two unpatched attack paths, and the clock is running
The core reality is straightforward. Organizations and individuals running Windows now face two serious, publicly documented, unpatched attack paths: one against disk encryption, one against privilege boundaries. Microsoft has not acknowledged either flaw publicly, and no patch timeline exists. The proof-of-concept code is live, the technical barrier to reproduction is moderate, and the potential impact ranges from data exposure on a single stolen laptop to full domain compromise in a poorly segmented network.
Until Microsoft issues formal fixes and guidance, the exposure is real and the defensive burden falls entirely on the people running these systems. The June 2026 Patch Tuesday cycle is the earliest likely vehicle for an official fix, but an out-of-band update remains possible if exploitation is detected in the wild. For now, the prudent move is to treat both vulnerabilities as credible, layer defenses accordingly, and watch Microsoft’s Security Response Center for any signal that a response is coming.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
