Zero-Day Exploit Bypasses Windows 11 BitLocker in Seconds

Key Takeaways

• YellowKey exploit bypasses default BitLocker protection on Windows 11 with physical access
• Attack uses a custom FsTx folder on a USB drive to skip the BitLocker recovery key requirement
• Security researchers Kevin Beaumont and Will Dormann have independently confirmed the exploit works

What Is the YellowKey Exploit?

A zero-day exploit published this week allows anyone with physical access to a Windows 11 system to bypass BitLocker encryption and read, copy, modify, or delete all drive contents. The attack takes seconds to execute.

The exploit, named YellowKey, was released by a researcher using the alias Nightmare-Eclipse. It defeats the default Windows 11 deployment of BitLocker. That's the full-volume encryption Microsoft provides to protect disk contents from anyone without the decryption key, which is stored in the system's trusted platform module (TPM).

BitLocker is mandatory for many organizations, including government contractors. This exploit puts those protections at risk for any device an attacker can physically reach.

How the Attack Works

The attack is straightforward. An attacker copies a custom FsTx folder from the Nightmare-Eclipse exploit page to a USB drive formatted as NTFS or FAT. They then connect the USB to the target device, boot it up, and immediately hold down the Ctrl key. This takes them to Windows Recovery.

There's an alternate path: boot into Windows, hold Shift, click the power icon, and click restart. Or just power on the device and force a restart as Windows begins loading. Either way, the attacker lands at a command prompt.

In a normal Windows Recovery flow, the system would demand a BitLocker recovery key before granting access to the encrypted drive. YellowKey skips this safeguard entirely. The command prompt has full access to all drive contents.

What Causes the Bypass?

The technical mechanism remains partially unclear. The exploit centers on a custom FsTx folder. Online documentation for this folder is sparse, but it appears to involve what Microsoft calls Transactional NTFS. This feature lets developers achieve "transactional atomicity" for file operations across single or multiple files.

Security researcher Will Dormann noted that Transactional NTFS uses a command-log file system under the hood. He pointed out that Windows' fstx.dll contains code that explicitly looks for \System Volume Information\FsTx in a function called FsTxFindSessions().

The custom FsTx directory used in YellowKey shows file paths including \??\C:\Windows\win.ini and \??\X:\Windows\System32\winpeshl.ini. According to Dormann, X:\Windows\System32\winpeshl.ini controls what Windows Recovery Environment (WinRE) does when it starts. This appears to be the hook that lets the exploit skip the recovery key check.

Independent Confirmation

Multiple security researchers have verified that YellowKey works as described. Kevin Beaumont and Will Dormann both confirmed the exploit independently. Their validation means this is not a theoretical vulnerability or a hoax. It's a working attack.

Microsoft has not yet issued a patch or public statement about YellowKey. Organizations relying on default BitLocker configurations should treat this as an active threat for any device that could be physically accessed by an attacker.

Who Is at Risk?

The exploit requires physical access. Remote attackers cannot use it. But the threat model for many organizations includes device theft, malicious insiders, or "evil maid" attacks where an adversary briefly accesses an unattended laptop.

Government contractors, financial institutions, healthcare organizations, and any company handling sensitive data on laptops should be concerned. BitLocker's entire purpose is to protect data if a device is lost or stolen. YellowKey defeats that protection on default configurations.

What Can Organizations Do Now?

While waiting for a Microsoft patch, organizations have limited options. Strict physical security is the most direct mitigation. Do not leave BitLocker-protected devices unattended in public spaces or accessible offices.

Some security teams may want to explore non-default BitLocker configurations. Using a PIN or startup key in addition to TPM-only protection could change the attack surface. However, these configurations introduce usability tradeoffs and may not be feasible for all deployments.

Watch for Microsoft security advisories. When a patch arrives, prioritize deployment. This exploit is public and trivial to replicate.

Frequently Asked Questions

Does the YellowKey exploit work remotely?

No. The attacker must have physical access to the Windows 11 device to execute the exploit.

Which versions of Windows are affected?

The exploit targets default Windows 11 deployments of BitLocker. Other versions have not been confirmed affected.

Has Microsoft released a patch for YellowKey?

Not yet. As of publication, Microsoft has not issued a patch or public statement about this vulnerability.

Can additional BitLocker settings prevent this attack?

Possibly. Using a PIN or startup key alongside TPM may change the attack surface, but this has not been confirmed as a mitigation.

Who discovered the YellowKey exploit?

A security researcher using the alias Nightmare-Eclipse published the exploit earlier this week.

Source: Ars Technica