Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
Two Windows zero-days disclosed: YellowKey bypasses BitLocker via WinRE on Windows 11 / Server 2022/2025; GreenPlasma escalates to SYSTEM via CTFMON. Enable preboot BitLocker PIN as mitigation.
What’s new: Two new zero-day vulnerabilities have been disclosed affecting Windows systems: a BitLocker bypass (codenamed YellowKey) and a privilege escalation vulnerability (codenamed GreenPlasma). YellowKey allows attackers to bypass BitLocker encryption via the Windows Recovery Environment (WinRE), while GreenPlasma enables unprivileged users to create arbitrary memory sections, potentially leading to SYSTEM-level access.
Who’s affected
Windows 11 and Windows Server 2022/2025 are impacted by the YellowKey vulnerability. The GreenPlasma vulnerability affects systems utilizing the Windows Collaborative Translation Framework (CTFMON).
What to do
- Monitor for updates from Microsoft regarding patches for the YellowKey and GreenPlasma vulnerabilities.
- Implement additional security measures, such as enabling BitLocker PIN for preboot authentication to mitigate risks associated with BitLocker bypass.
- Consider migrating the boot manager to the CA 2023 certificate and revoking the old PCA 2011 certificate to enhance Secure Boot security.
