Researcher Nightmare-Eclipse released YellowKey, a BitLocker full-volume encryption bypass triggered via a USB-delivered FsTx folder and WinRE, with no password required.
Key Takeaways
YellowKey works by copying an FsTx folder to a USB (NTFS/FAT32/exFAT) or the EFI partition, rebooting into WinRE, and following a specific input sequence to get an unrestricted shell.
The bypass requires no password and grants full read/write access to BitLocker-protected volumes on Windows 11, Server 2022, and Server 2025 only; Windows 10 is unaffected.
The triggering component exists only in the official WinRE image and behaves differently there than in standard Windows installs, which the researcher calls evidence of an intentional backdoor.
A companion exploit, GreenPlasma, enables privilege escalation; full SYSTEM-level PoC is being held until next Patch Tuesday.
Mitigation: use BitLocker with a PIN (TPM-only mode is the attack surface), and consider alternatives like VeraCrypt or Linux FDE.
Hacker News Comment Review
The exploit targets TPM-only BitLocker (no preboot PIN), where the TPM auto-releases the decryption key; commenters agree physical access in that configuration was already a weak guarantee.
The technical mechanism appears to involve Transactional NTFS (TxF) bits on a USB deleting winpeshl.ini on a separate drive inside WinRE, an unusual cross-drive file operation that commenters found hard to attribute to accident.
Commenters are skeptical of the backdoor framing given Nightmare-Eclipse’s known grievance history with Microsoft, but third-party researchers have independently confirmed the exploit behavior.
Notable Comments
@layer8: The published exploit does not affect BitLocker when a PIN is set; the researcher claims a PIN bypass exists but has released no proof.
@patzentango: In TPM-only mode, secure boot validates the chain and the TPM releases keys automatically, making physical access exploits largely equivalent to booting a live USB anyway.
