A newly disclosed Windows zero-day dubbed YellowKey allows attackers with physical access to a device to bypass BitLocker disk encryption on default Windows 11 and Windows Server 2022/2025 installations by abusing the Windows Recovery Environment, according to multiple analyses of the public proof-of-concept exploit code published this week.
The flaw was released by an anonymous researcher using the handles Chaotic Eclipse and Nightmare-Eclipse, who described YellowKey as effectively acting like a backdoor embedded in WinRE. As detailed by the researcher and independently reproduced by security researcher Will Dormann on Mastodon, the attack involves placing specially crafted Transactional NTFS “FsTx” files on a USB drive or EFI partition, attaching the media to a BitLocker-protected system, and then booting into WinRE. During startup, the exploit abuses transactional file operations to delete the winpeshl.ini file on the WinRE volume, causing Windows to launch a cmd.exe shell instead of the standard recovery interface—with the BitLocker volume already unlocked for recovery operations [1] [2].
Because the vulnerability is confined to WinRE, it does not enable remote compromise by itself and still requires an attacker to gain physical access to the device and the ability to reboot it into the recovery environment or from suitable media. Nonetheless, the impact is serious for organizations that rely on BitLocker to protect data on laptops and workstations that might be lost, stolen, or seized. Once the YellowKey chain is executed, the attacker receives an elevated recovery shell with full access to the decrypted file system, bypassing protections that are supposed to keep data inaccessible without the appropriate keys stored in the Trusted Platform Module (TPM).
BitLocker is widely mandated in regulated environments and government supply chains, so the discovery of a reliable bypass in the default configuration raises concern about the real-world resilience of Windows at-rest encryption. Security outlets including The Hacker News, Bitdefender and Cybernews [3] report that YellowKey currently has no CVE identifier and no public Microsoft advisory or patch, leaving defenders with limited options beyond hardening their deployment. Microsoft has not publicly commented on the bug’s status, and there is no indication yet that the company has issued an out-of-band fix.
YellowKey is part of a broader wave of zero-days released by the same researcher. Alongside the BitLocker bypass, Nightmare-Eclipse published an additional Windows vulnerability dubbed GreenPlasma, described as a privilege escalation issue involving Windows’ Collaborative Translation Framework (CTFMON) that could let an unprivileged user create arbitrary section objects in locations writable by SYSTEM, potentially enabling abuse of trusted paths for code execution [1]. The same researcher previously disclosed three Microsoft Defender flaws, including BlueHammer, which Microsoft later patched as CVE-2026-33825, and which has since been reported as exploited in the wild.
The YellowKey release also lands amid separate research into BitLocker bypasses in the Windows boot chain. French security firm Intrinsec recently detailed an attack leveraging a boot manager downgrade vulnerability, CVE-2025-48804 (CVSS 6.8), to load a malicious WinRE image that spawns cmd.exe with access to a decrypted BitLocker volume on fully patched Windows 11 systems in under five minutes [4]. Intrinsec noted that as long as legacy boot manager certificates remain trusted, attackers can chain this with physical access to quietly sidestep disk encryption, underscoring that the security of BitLocker depends heavily on the integrity of recovery and boot components.
Until Microsoft issues guidance or patches for YellowKey, defenders are being urged by researchers to treat physical access controls as critical to BitLocker’s security assumptions. Practical mitigations include disabling or tightly restricting access to WinRE where operationally feasible, enforcing UEFI firmware passwords, disabling boot from external media, and deploying BitLocker with a pre-boot PIN or startup key rather than relying solely on TPM-based transparent unlock. Organizations should also consider devices exposed if they were lost or unattended while vulnerable, reissue encryption keys as appropriate, and monitor for any future advisories that clarify the scope and remediation path for the YellowKey flaw.
