By ByteBot
On May 13, 2026, a researcher operating under the alias Nightmare-Eclipse released a working proof-of-concept exploit — dubbed YellowKey — that defeats BitLocker encryption on Windows 11, Windows Server 2022, and Windows Server 2025. The attack requires physical access, a USB stick loaded with crafted files, and a reboot into Windows Recovery Environment. No PIN, no password, full shell access to the encrypted drive. If your organization relies on BitLocker for compliance, your threat model just changed.
How the YellowKey BitLocker Exploit Works
The attack exploits a flaw in how WinRE handles NTFS transaction logs from external drives. During recovery, Windows looks for \\System Volume Information\FsTx directories on attached drives and replays any logs it finds — regardless of where those logs instruct it to write. Security researcher Will Dormann confirmed the mechanism: Transactional NTFS bits on a USB drive can delete winpeshl.ini on an entirely different drive (X:, the recovery partition). That is a boundary WinRE was never supposed to cross, according to BleepingComputer’s technical breakdown.
Once winpeshl.ini is gone, WinRE launches CMD.EXE instead of the recovery interface. At that point, the TPM has already done its job — the BitLocker volume is decrypted as part of the boot process. The attacker gets a full command shell with unrestricted access to the plaintext drive. The researcher described it as “one of the most insane discoveries I ever found.” Kevin Beaumont, an independent Windows security expert, independently confirmed the exploit works.
The companion exploit GreenPlasma — also released May 13 — is a partial proof-of-concept for a CTFMON privilege escalation flaw, granting SYSTEM-level access after initial entry. Combined with YellowKey, an attacker with brief physical access could decrypt the drive, escalate privileges, and exfiltrate data before anyone notices. The Hacker News has the full technical breakdown of both exploits.
The Enterprise Problem: Default BitLocker Config Is Vulnerable
The public PoC targets TPM-only BitLocker configurations — which is the enterprise default. Organizations choose TPM-only because it scales: servers restart unattended after patching, users avoid pre-boot PINs, and managed fleet deployments do not generate helpdesk tickets about forgotten credentials. Microsoft’s own documentation describes TPM-only as the baseline for organizations that need “a basic level of data protection to meet security policies.” Convenient and compliant — until now.
TPM+PIN is the stronger configuration. It adds a pre-boot PIN that WinRE cannot access automatically. However, it is operationally expensive: every reboot requires someone at the console. For servers, that is often impractical. For laptops, many IT teams skip it to reduce friction. Consequently, the majority of enterprise Windows deployments run the configuration YellowKey was built to break. If an attacker steals a corporate laptop or gets five minutes alone with a server, the default setup offers no protection against this exploit.
Related: Six Dnsmasq Vulnerabilities Enable DNS Poisoning, Root Escalation
Backdoor or Design Flaw?
Nightmare-Eclipse alleges YellowKey is an intentional Microsoft backdoor — the vulnerable component exists only inside the official WinRE image. Kevin Beaumont confirmed the exploit and used the word “backdoor.” However, the security community is not convinced it was deliberate. The dominant view among researchers is that this is a serious architectural flaw in NTFS transaction log replay logic — a design that never enforced drive boundaries, creating an exploitable gap that should not exist. Deliberate or not, the effect is identical: BitLocker-protected machines with physical access are compromised.
Microsoft has not patched YellowKey. Their response has been a generic statement committing to investigate and update devices “as soon as possible.” This is the fourth and fifth unpatched vulnerability from the same researcher in 2026 — a campaign that began April 2 with RedSun targeting Windows Defender. According to The Register, BlueHammer — the one Microsoft did patch — was being actively exploited in the wild before the fix shipped. Treat YellowKey as actively exploitable.
What to Do Right Now
There is no patch as of May 17, 2026. These are your options until Microsoft ships a WinRE fix. Prioritize high-risk devices first — executive laptops, servers holding sensitive data, machines under compliance requirements.
- Enable TPM+PIN for BitLocker — The primary mitigation. Adds a pre-boot PIN that WinRE cannot access automatically. Yes, it means manual intervention on server reboots. Do it for high-value machines first.
- Set a BIOS/UEFI boot password — Prevents booting into WinRE from a USB drive without the BIOS credential.
- Audit your BitLocker configurations — Identify which machines are TPM-only and migrate high-risk devices to TPM+PIN. Use Group Policy for managed fleet updates.
- Enforce physical security — YellowKey requires physical access. Treat device theft and brief physical access to servers as realistic threats, not edge cases.
- Watch for the patch — Microsoft must change how WinRE handles NTFS transaction log replay from external drives. Monitor Microsoft’s BitLocker security advisories for an update.
Key Takeaways
- YellowKey bypasses BitLocker on Windows 11 and Windows Server 2022/2025 using a USB stick and WinRE — no credentials required with the default TPM-only configuration
- The default enterprise configuration is the vulnerable one — TPM+PIN protects against YellowKey, but most deployments skip the PIN for operational convenience
- No patch exists as of May 17, 2026 — act now with TPM+PIN, BIOS passwords, and physical security hardening
- The backdoor vs. design flaw debate is unresolved — but the practical effect is identical: BitLocker-protected machines are accessible with physical access
- This is part of an ongoing campaign — BlueHammer was weaponized before Microsoft patched it; assume YellowKey will follow the same pattern
