Windows BitLocker "YellowKey" + CTFMON "GreenPlasma" — public PoC, no patch, TPM-only BitLocker bypassed

If you did nothing this week: every Windows endpoint configured with TPM-only BitLocker (no PIN, no startup key — the most common laptop configuration in Swiss federal and cantonal estates) is bypassable by an attacker with brief physical access using the publicly-disclosed YellowKey PoC; every Windows endpoint with the CTFMON service (the default on Windows 10/11/Server 2022/2025) is locally elevation-of-privilege-vulnerable via the GreenPlasma primitive. Both zero-days were disclosed without coordinated vendor patching; Microsoft's May 2026 Patch Tuesday (120+ CVEs) did not address either, and no out-of-band advisory has been issued (daily 2026-05-15).

The operational reality for Swiss public-sector defenders is that the laptop full-disk-encryption story is materially weakened until Microsoft ships a fix. The interim guidance is to enforce BitLocker PIN-or-startup-key on every endpoint where physical-access risk is non-trivial (mobile estates, off-site work, hotel travel) — the GPO toggle is Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at startup. For GreenPlasma the only available control is privileged-account-segregation discipline: workstations that handle administrative credentials should not also run unprivileged user workloads where the local-EOP can be staged.