Researcher Nightmare-Eclipse released YellowKey, a BitLocker full-volume encryption bypass triggered via a USB-attached FsTx folder and WinRE reboot sequence.
Key Takeaways
YellowKey works by copying an FsTx folder to a USB (NTFS, FAT32, or exFAT) or the EFI partition, rebooting into Windows Recovery Environment, and following a specific input sequence to get an unrestricted command shell.
The bypass requires no password and grants full read/write access to BitLocker-protected volumes; only Windows 11, Server 2022, and Server 2025 are affected, not Windows 10.
The triggering component exists only in official WinRE images; the same component in standard Windows install images does not exhibit the bypass, which the researcher calls evidence of intentional backdoor insertion.
Nightmare-Eclipse also released GreenPlasma, a privilege escalation exploit, and hinted at a PIN-bypassing variant to be disclosed before next Patch Tuesday.
Mitigation advice from the source: layer encryption systems and consider VeraCrypt as an alternative to BitLocker.
Hacker News Comment Review
Commenters clarified that YellowKey targets TPM-only BitLocker (no PIN), where WinRE holds a TPM-released decryption key, making physical access sufficient regardless of this specific exploit.
The mechanism appears to involve Transactional NTFS (TxF) bits on a USB deleting winpeshl.ini on a separate drive inside WinRE, a subtle privilege boundary violation rather than a classic FDE break.
Commenters debated intentionality: the “backdoor” framing is contested given the researcher’s public grudge against Microsoft and the fact that PIN-protected BitLocker is reportedly unaffected by the published PoC.
Notable Comments
@layer8: Published exploit does not affect BitLocker with a PIN; PIN-less TPM-only mode was already considered weak against physical attackers.
@gruez: WinRE is privileged because Windows stores a TPM-released decryption key specifically for the recovery environment, which is why WinRE access is the attack’s prerequisite.
