A security researcher known as Chaotic Eclipse just dropped proof-of-concept exploit code for two unpatched Windows zero-day vulnerabilities - and within 24 hours, threat actors were already using them in active attacks. The first, called YellowKey, bypasses BitLocker full-disk encryption on Windows 11 using nothing more than a specially crafted folder on a USB drive. The second, GreenPlasma, escalates privileges from a standard user to SYSTEM-level access through a trusted Windows process that runs on every interactive session.
There is no patch for either vulnerability. There is no CVE assignment. And the researcher has explicitly threatened to drop more zero-days next month if Microsoft's Security Response Center does not change how it handles vulnerability reports.
This is not a theoretical risk. Security firm Huntress confirmed that Nightmare-Eclipse tooling - the researcher's GitHub persona - has already been observed in real-world intrusions. The gap between disclosure and exploitation has collapsed to essentially zero, and every organization running Windows 11 or Windows Server 2022/2025 now faces a critical exposure window with no official fix in sight.
What YellowKey Does - and Why It Matters
YellowKey is a BitLocker bypass that targets the Windows Recovery Environment, commonly known as WinRE. BitLocker has long been the encryption backbone for Windows enterprise deployments, protecting data at rest on stolen or lost devices by requiring a recovery key or TPM-based authentication before the operating system boots.
YellowKey renders that protection meaningless under specific conditions.
How the Attack Works
The exploit is almost embarrassingly simple from a technical perspective. An attacker with physical access to a Windows 11 machine copies a specially crafted folder named "FsTx" to a USB drive and plugs it into the target system. After rebooting into WinRE - done by holding Shift while clicking Restart - the attacker releases Shift and holds Ctrl until a command prompt spawns with unrestricted access to the encrypted volume.
Key Stat: Multiple independent security researchers, including Kevin Beaumont, KevTheHermit, and Will Dormann, have tested and confirmed the exploit works against recent Windows 11 builds. No recovery key is required. No credentials are needed.
The Backdoor Question
What makes YellowKey particularly unsettling is not just that it works, but where the vulnerable component lives. Chaotic Eclipse noted that the component responsible for the bug exists only inside the WinRE image and cannot be found anywhere else - not even on the internet. The same component exists in standard Windows installations under the exact same name, but without the functionality that triggers the BitLocker bypass.
"Why? I just can't come up with an explanation beside the fact that this was intentional," the researcher wrote in the GitHub repository for YellowKey.
Microsoft has not addressed this claim, and independent researchers have not verified whether the component was deliberately designed with this capability. But the question alone is enough to erode trust in a encryption system that enterprises have relied on for over a decade.
Key Takeaway: YellowKey does not require remote access, stolen credentials, or malware. It requires physical access and a USB drive. That makes it a high-risk threat for field devices, shared workstations, laptops, and any endpoint that leaves the physical perimeter of your organization.
GreenPlasma: The Privilege Escalation Companion
While YellowKey opens the door to encrypted data, GreenPlasma opens the door to full system control. It targets CTFMON - the Collaborative Translation Framework Monitor - a trusted Windows process that runs as SYSTEM in every interactive session to handle text input services.
The Attack Path
GreenPlasma manipulates registry settings and object manager permissions to plant an arbitrary memory section object in a directory normally writable only by SYSTEM. Because CTFMON is trusted, its interaction with that object is treated as legitimate. The result is a path to SYSTEM-level privileges starting from an unprivileged user account.
The published proof-of-concept is intentionally incomplete. Under default configurations, it still triggers a UAC consent prompt. But security researchers universally agree that this is not a meaningful limitation.
"Even with limitations around the current proof-of-concept, any path toward System-level privileges deserves close scrutiny," said Joshua Roback, principal security solution architect at Swimlane. "If fully exploited, that kind of escalation could allow attackers to disable protections, manipulate trusted processes, deploy malware, or use the compromised machine as a stepping stone into the broader environment."
Key Stat: Chaotic Eclipse withheld the full exploit code required to achieve a complete SYSTEM shell, but stated explicitly that skilled attackers can still turn the flaw into full privilege escalation. The GitHub repository for GreenPlasma has already attracted significant attention from the security research community.
Common Mistake: Treating incomplete proof-of-concept code as low priority. History shows repeatedly that published partial exploits become fully weaponized within days or weeks. BlueHammer - another Chaotic Eclipse zero-day from April - was actively exploited four days before Microsoft patched it.
The Researcher Behind the Disclosures
Chaotic Eclipse, who also publishes under the name Nightmare-Eclipse on GitHub, has a clear pattern. The researcher reports vulnerabilities to Microsoft through official channels, becomes dissatisfied with the response, and then publishes working exploit code publicly.
From BlueHammer to YellowKey
In April 2026, Chaotic Eclipse published BlueHammer - a Windows Defender vulnerability that turned Microsoft's own update workflow into a credential theft mechanism. Threat actors started exploiting it four days before Microsoft released a patch. The researcher followed up with RedSun and UnDefend, two additional Microsoft Defender flaws. Only BlueHammer has been patched.
"Microsoft has chosen to make this worse instead of resolving the situation like adults," Chaotic Eclipse said in a statement accompanying the YellowKey and GreenPlasma releases. "They pulled every childish game possible. My patience is running out. You're making everyone else pay for it."
The researcher has now issued a direct warning to Microsoft: "Next Patch Tuesday will have a big surprise for you, Microsoft. And remember, I never failed to deliver a promise."
The Disclosure Debate
The cybersecurity community is divided on Chaotic Eclipse's tactics. Coordinated vulnerability disclosure - where researchers give vendors time to patch before going public - is the industry standard for good reason. It protects users while still allowing researchers to claim credit and maintain pressure on vendors.
But when researchers feel vendors are unresponsive, dismissive, or actively obstructive, some choose full disclosure as a form of accountability. Chaotic Eclipse appears to have landed firmly in the second camp, and the result is that millions of Windows users are now exposed to actively exploited vulnerabilities with no patch available.
Pro Tip: Regardless of where you stand on the disclosure ethics debate, the operational reality is the same: your organization now has unpatched Windows zero-days in active exploitation. Focus on mitigation and detection, not on assigning blame.
%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221270%22%20cy%3D%22180%22%20r%3D%22210%22%20fill%3D%22rgba(123%2C%20215%2C%20255%2C%200.18)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22310%22%20cy%3D%22710%22%20r%3D%22250%22%20fill%3D%22rgba(52%2C%20211%2C%20153%2C%200.10)%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20708C340%20574%20498%20531%20653%20566C828%20605%20941%20504%201086%20418C1191%20355%201308%20317%201440%20332%22%20stroke%3D%22%237bd7ff%22%20stroke-width%3D%2210%22%20stroke-linecap%3D%22round%22%20opacity%3D%220.85%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20640H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20298H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Crect%20x%3D%22160%22%20y%3D%22142%22%20width%3D%22174%22%20height%3D%2236%22%20rx%3D%2218%22%20fill%3D%22rgba(123%2C%20215%2C%20255%2C%200.18)%22%20stroke%3D%22%237bd7ff%22%2F%3E%0A%20%20%3Ctext%20x%3D%22247%22%20y%3D%22166%22%20text-anchor%3D%22middle%22%20fill%3D%22%23D9F4FF%22%20font-size%3D%2218%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%222%22%3ECYBERSECURITY%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22392%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EActive%20Exploitation%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22470%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EConfirmed%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22554%22%20fill%3D%22%23A8B8C8%22%20font-size%3D%2228%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EYellowKey%20and%20GreenPlasma%3A%20Two%20Unpatched%3C%2Ftext%3E%0A%20%20%3Crect%20x%3D%221080%22%20y%3D%22420%22%20width%3D%22274%22%20height%3D%22182%22%20rx%3D%2222%22%20fill%3D%22%230E2231%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.10)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22458%22%20width%3D%22112%22%20height%3D%2218%22%20rx%3D%229%22%20fill%3D%22%237bd7ff%22%20opacity%3D%220.9%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22498%22%20width%3D%22180%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.2)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22526%22%20width%3D%22146%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.14)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22554%22%20width%3D%2288%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.12)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221340%22%20cy%3D%22522%22%20r%3D%2244%22%20fill%3D%22rgba(123%2C%20215%2C%20255%2C%200.18)%22%20stroke%3D%22%237bd7ff%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M1322%20522L1336%20536L1360%20506%22%20stroke%3D%22%237bd7ff%22%20stroke-width%3D%228%22%20stroke-linecap%3D%22round%22%20stroke-linejoin%3D%22round%22%2F%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22748%22%20fill%3D%22%237BD7FF%22%20font-size%3D%2222%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%223%22%3EHEXON%20%2F%2F%20SUPPORTING%20VISUAL%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
Active Exploitation Confirmed
The most alarming development is not that the zero-days exist. It is how quickly they moved from GitHub repositories to real-world attacks.
Huntress Confirms Real-World Use
Security firm Huntress reported that Nightmare-Eclipse tooling has been observed in actual intrusions. While the firm did not share detailed victim information, the confirmation that these exploits are already in active use changes the risk calculation dramatically.
Forbes reported that both YellowKey and GreenPlasma "have already been used in active attack campaigns" within 24 hours of the public proof-of-concept being published. This compression of the exploit timeline - from disclosure to weaponization to active use in a single day - is becoming the new normal in cybersecurity.
The AI Acceleration Factor
Gavin Knapp, cyber threat intelligence principal lead at Bridewell, noted that the rapid discovery and weaponization of these vulnerabilities is "likely due to skilled researchers leveraging AI to expedite and scale vulnerability research and exploit development."
This is the other side of the AI security coin that dominated headlines this week. While Microsoft, Palo Alto Networks, and OpenAI are racing to deploy AI for defensive vulnerability discovery, independent researchers and threat actors are using the same capabilities to find and exploit flaws faster than vendors can patch them.
Key Stat: Microsoft patched 138 vulnerabilities in its May 2026 Patch Tuesday - the second-largest volume in history - and is on pace to shatter the 2020 record of 1,245 annual patches. The sheer volume suggests that vulnerability discovery is accelerating across the board, driven in part by AI-assisted analysis.
What Organizations Should Do Right Now
With no patch available for either vulnerability, organizations must rely on compensating controls and immediate risk mitigation. Here are the practical steps security teams should take today.
Mitigating YellowKey
Because YellowKey requires physical access, the mitigation strategy focuses on controlling who can touch your devices and what they can do:
- Restrict USB boot access in BIOS/UEFI settings. Disable booting from removable media entirely where possible.
- Enable TPM PIN pre-boot authentication in addition to TPM-only auto-unlock. Chaotic Eclipse confirmed that YellowKey bypasses TPM-only configurations, but the TPM PIN bypass was not published and may provide additional protection depending on WinRE implementation.
- Audit field devices and shared workstations immediately. These are the highest-risk targets for physical-access attacks.
- Implement full-disk encryption alternatives for high-risk devices where BitLocker cannot be trusted until patched.
- Review device physical security - laptops, tablets, and any mobile endpoint should be treated as potentially compromisable if an attacker gains brief physical access.
Mitigating GreenPlasma
GreenPlasma is a post-compromise privilege escalation tool, which means the attacker already needs some level of access to the system. The mitigation strategy focuses on limiting what they can do once inside:
- Apply the principle of least privilege aggressively. Standard users should not have administrative rights unless absolutely necessary.
- Monitor for UAC elevation anomalies and privilege escalation attempts through endpoint detection and response tools.
- Restrict CTFMON execution where possible. In environments where text input services are not required, consider disabling or restricting the process.
- Segment your network so that a compromised endpoint cannot easily move laterally to critical systems.
- Deploy behavioral detection that flags unusual SYSTEM-level process interactions, particularly involving memory section objects and registry modifications.
Pro Tip: The combination of YellowKey and GreenPlasma forms a complete attack chain: YellowKey opens the encrypted drive, GreenPlasma provides SYSTEM-level privileges on top of that. Organizations with high-value data on Windows 11 endpoints should assume both vulnerabilities may be used together and plan defenses accordingly.
The Bigger Picture: When Trusted Components Become the Attack Surface
YellowKey and GreenPlasma are not isolated bugs. They are the latest examples of a pattern that security teams have been struggling with for years: trusted, native, signed Windows components becoming the primary attack surface.
WinRE, CTFMON, and the Trust Problem
WinRE is supposed to be a recovery tool. CTFMON is supposed to handle text input. Both are deeply embedded in Windows, signed by Microsoft, and trusted by the operating system at the highest levels. When these components contain vulnerabilities, traditional security tools often struggle to detect exploitation because the activity looks legitimate - it is coming from a trusted process.
This is exactly why threat actors increasingly target native Windows components rather than third-party software. The trust model works against defenders. A shell spawned from WinRE does not trigger antivirus alerts. A SYSTEM escalation through CTFMON does not look like malware.
The Patch Tuesday Problem
Chaotic Eclipse deliberately timed the YellowKey and GreenPlasma disclosures for May 13, 2026 - one day after Microsoft's May Patch Tuesday. This means organizations now face a full month until the next scheduled patch cycle, assuming Microsoft even addresses these vulnerabilities in June.
The researcher has explicitly threatened to repeat this pattern. "Next Patch Tuesday will have a big surprise for you, Microsoft." If this pattern continues, organizations may find themselves in a perpetual state of exposure between disclosure and patch, with no ability to close the gap through normal update channels.
Key Stat: The May 2026 Patch Tuesday addressed 138 vulnerabilities, including critical flaws in Netlogon, Office, Word, and SharePoint. None of the Chaotic Eclipse zero-days were included, despite BlueHammer being known since April and RedSun and UnDefend remaining unpatched.
%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221270%22%20cy%3D%22180%22%20r%3D%22210%22%20fill%3D%22rgba(167%2C%20139%2C%20250%2C%200.18)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22310%22%20cy%3D%22710%22%20r%3D%22250%22%20fill%3D%22rgba(52%2C%20211%2C%20153%2C%200.10)%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20708C340%20574%20498%20531%20653%20566C828%20605%20941%20504%201086%20418C1191%20355%201308%20317%201440%20332%22%20stroke%3D%22%23a78bfa%22%20stroke-width%3D%2210%22%20stroke-linecap%3D%22round%22%20opacity%3D%220.85%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20640H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M160%20298H1440%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.08)%22%20stroke-width%3D%222%22%2F%3E%0A%20%20%3Crect%20x%3D%22160%22%20y%3D%22142%22%20width%3D%22174%22%20height%3D%2236%22%20rx%3D%2218%22%20fill%3D%22rgba(167%2C%20139%2C%20250%2C%200.18)%22%20stroke%3D%22%23a78bfa%22%2F%3E%0A%20%20%3Ctext%20x%3D%22247%22%20y%3D%22166%22%20text-anchor%3D%22middle%22%20fill%3D%22%23D9F4FF%22%20font-size%3D%2218%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%222%22%3ECYBERSECURITY%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22392%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EWhat%20Microsoft%20Says%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22470%22%20fill%3D%22%23F7FBFF%22%20font-size%3D%2266%22%20font-weight%3D%22700%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3E%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22554%22%20fill%3D%22%23A8B8C8%22%20font-size%3D%2228%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%3EYellowKey%20and%20GreenPlasma%3A%20Two%20Unpatched%3C%2Ftext%3E%0A%20%20%3Crect%20x%3D%221080%22%20y%3D%22420%22%20width%3D%22274%22%20height%3D%22182%22%20rx%3D%2222%22%20fill%3D%22%230E2231%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.10)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22458%22%20width%3D%22112%22%20height%3D%2218%22%20rx%3D%229%22%20fill%3D%22%23a78bfa%22%20opacity%3D%220.9%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22498%22%20width%3D%22180%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.2)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22526%22%20width%3D%22146%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.14)%22%2F%3E%0A%20%20%3Crect%20x%3D%221120%22%20y%3D%22554%22%20width%3D%2288%22%20height%3D%2212%22%20rx%3D%226%22%20fill%3D%22rgba(255%2C255%2C255%2C0.12)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221340%22%20cy%3D%22522%22%20r%3D%2244%22%20fill%3D%22rgba(167%2C%20139%2C%20250%2C%200.18)%22%20stroke%3D%22%23a78bfa%22%2F%3E%0A%20%20%3Cpath%20d%3D%22M1322%20522L1336%20536L1360%20506%22%20stroke%3D%22%23a78bfa%22%20stroke-width%3D%228%22%20stroke-linecap%3D%22round%22%20stroke-linejoin%3D%22round%22%2F%3E%0A%20%20%3Ctext%20x%3D%22160%22%20y%3D%22748%22%20fill%3D%22%237BD7FF%22%20font-size%3D%2222%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20letter-spacing%3D%223%22%3EHEXON%20%2F%2F%20SUPPORTING%20VISUAL%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
What Microsoft Says
Microsoft issued a statement to SecurityWeek acknowledging the purported vulnerabilities and stating that the company is "actively investigating the validity and potential applicability of these claims across our platforms and services."
The company emphasized its commitment to investigating reported security issues and updating impacted products "as soon as possible," and noted that it "supports coordinated vulnerability disclosure."
What Microsoft did not say is when - or if - patches for YellowKey and GreenPlasma will be released. Given that RedSun and UnDefend from April remain unpatched, organizations should not assume a quick resolution.
How This Fits Into the AI Security Landscape
This week's cybersecurity news has been dominated by AI - Microsoft MDASH finding 16 Windows vulnerabilities, Palo Alto Networks discovering 75 flaws with frontier AI models, OpenAI launching its Daybreak defensive platform. YellowKey and GreenPlasma represent the flip side of that narrative.
AI for Attack, Not Just Defense
While major vendors are racing to deploy AI for vulnerability discovery, independent researchers and threat actors are using the same technology to find and exploit flaws faster than ever. Chaotic Eclipse's rapid-fire zero-day releases - BlueHammer in April, YellowKey and GreenPlasma in May, with more promised for June - suggest an acceleration in discovery that mirrors what the defensive side is reporting.
The difference is that defenders must find and patch every vulnerability. Attackers only need to find one that works.
The Disclosure Timeline Collapse
Traditional vulnerability management assumes a timeline measured in weeks or months: researcher finds bug, reports to vendor, vendor develops patch, patch is tested and released, organizations deploy. That timeline has collapsed to days or hours for zero-days that are publicly disclosed without coordination.
When proof-of-concept code is published on GitHub and actively exploited within 24 hours, the traditional patch cycle becomes irrelevant. Organizations need real-time detection, behavioral monitoring, and compensating controls - not just a monthly patching cadence.
Key Takeaway: The AI security era is not just about defenders using AI to find vulnerabilities faster. It is about a fundamental acceleration of the entire vulnerability lifecycle - discovery, disclosure, exploitation, and patching - that requires a completely different defensive posture.
What Happens Next
The immediate future depends on three unknowns: whether Microsoft patches these vulnerabilities in June, whether Chaotic Eclipse follows through on the threat to drop more zero-days, and whether threat actors develop more sophisticated exploit chains combining YellowKey, GreenPlasma, and other unpatched flaws.
The June Patch Tuesday Watch
Security teams should treat Microsoft's June Patch Tuesday as a critical event. If YellowKey and GreenPlasma are not addressed, organizations will face a second month of exposure with no official fix. If they are patched, the focus will shift to rapid deployment - which itself is a challenge for large enterprises with complex testing and rollout procedures.
The Escalation Risk
Chaotic Eclipse has already expanded the scope of disclosures beyond Microsoft. The researcher warned that "other companies" may be dragged into the dispute, suggesting that future zero-days could target additional vendors. This escalation risk means security teams should not focus exclusively on Windows - other platforms and products may face similar unpatched disclosures.
The Long-Term Shift
The underlying trend is clear: vulnerability discovery is accelerating, disclosure norms are fracturing, and the gap between discovery and exploitation is approaching zero. Organizations that rely on monthly patching cycles, signature-based detection, and perimeter-focused security models will not keep pace.
The defenses that matter now are:
- Behavioral detection that flags anomalous activity regardless of whether it comes from a trusted process
- Zero-trust architecture that assumes compromise and limits lateral movement
- Rapid containment capabilities that can isolate affected endpoints in minutes, not hours
- Alternative encryption strategies for high-risk devices where native full-disk encryption cannot be trusted
Conclusion
YellowKey and GreenPlasma are more than two unpatched Windows zero-days. They are a case study in how quickly the vulnerability landscape is shifting, how fragile trust in native security components can be, and how the traditional patch-cycle model is breaking under the strain of accelerated discovery and disclosure.
A single researcher with a grievance against a vendor's disclosure process has now exposed millions of Windows 11 devices to active exploitation - not through sophisticated nation-state tradecraft, but through publicly available proof-of-concept code published on GitHub. The fact that this is possible, and that exploitation begins within 24 hours, should be a wake-up call for every organization that still treats Patch Tuesday as its primary security control.
The mitigations are available. They are not perfect, and they require effort. But they are the only protection available until Microsoft releases official patches - and given the researcher's history and explicit threats, there may be more zero-days coming before those patches arrive.
Your organization's ability to detect anomalous behavior, restrict physical access to endpoints, segment networks, and respond rapidly to compromise is now more important than your ability to install patches on schedule. The security model is shifting from "patch everything" to "assume breach and minimize damage." YellowKey and GreenPlasma are just the latest reminders that this shift is not optional. It is survival.