What YellowKey and GreenPlasma zero-day exploits reveal about trusting native Windows security

On May 13, 2026 a researcher published proof-of-concept exploits for two unpatched Windows zero-days—YellowKey (a BitLocker WinRE bypass requiring physical access) and GreenPlasma (a local privilege escalation via CTFMON)—affecting Windows 11 and Windows Server variants; no CVEs or patches exist yet. The report evaluates operational risk, emphasizes that YellowKey is constrained by physical access while GreenPlasma aids post-compromise escalation, and provides mitigations including restricting removable media, locking boot/firmware, enforcing BitLocker PIN, application allowlisting, process ringfencing, and least-privilege controls.