An anonymous security researcher known as “Nightmare Eclipse” has published working proof-of-concept exploits for two unpatched Windows vulnerabilities. The first, called YellowKey (tracked as CVE-2026-45585), allows an attacker with physical access to a computer to bypass BitLocker and read the contents of an encrypted drive — without needing the recovery key. The second, called GreenPlasma, allows any local user to silently escalate their privileges to SYSTEM level, which means full control over the operating system.
YellowKey works by placing specially crafted files on a USB drive or the computer’s EFI partition, then rebooting into Windows Recovery Environment (WinRE) and triggering a hidden shell that exposes BitLocker-protected storage. GreenPlasma exploits how Windows manages memory-section objects in certain system directories, allowing an unprivileged user to manipulate trusted services and take over the machine. Both exploits are publicly available, meaning technically skilled attackers can adapt them right now. Microsoft has not yet released patches for either flaw.
How to check if you’re affected
Affected versions include Windows 11 and Windows Server 2022/2025 — particularly those relying on a TPM-only BitLocker configuration (no PIN or USB key required at startup). Windows 10 is not confirmed affected by YellowKey at this time.
To reduce your risk while Microsoft works on a fix:
- If you use BitLocker, add a startup PIN or a USB key to your BitLocker configuration so that physical access to the machine alone is not enough to unlock the drive.
- Keep your computer in a physically secure location — YellowKey requires an attacker to reboot your machine with a prepared USB drive.
- Microsoft has published a mitigation guide for YellowKey; check the Sources section below for the link.