A security researcher has handed enterprises a fresh headache. With little more than a USB stick and physical access to a machine, anyone can now unlock data protected by default BitLocker configurations on Windows 11. The exploit, called YellowKey, targets a surprising spot: the Windows Recovery Environment. And it works.
Bruce Schneier highlighted the discovery on his blog last week. He called it nasty. Schneier on Security noted that while physical access is required, the attack defeats the encryption Microsoft positions as standard protection for organizations and government contractors alike.
The researcher behind the code goes by Nightmare-Eclipse, also known as Chaotic Eclipse. This isn’t their first strike against Microsoft. Earlier disclosures targeted Defender. Now they’ve turned attention to BitLocker and a separate privilege-escalation flaw named GreenPlasma. Both proofs of concept appeared publicly around May 13, synchronized with Patch Tuesday. No patches exist yet.
Here’s how YellowKey operates. An attacker prepares specially crafted “FsTx” files. These go on a USB drive or the target’s EFI partition. The machine reboots into WinRE. Hold down the CTRL key at the right moment. A command shell opens. The drive sits unlocked. Full access to encrypted volumes follows. Seconds. No recovery key needed. No PIN. Just the default TPM-only setup that many companies rely on.
Ars Technica examined the release closely. Their report detailed how the exploit reliably bypasses default Windows 11 BitLocker deployments. The decryption key, stored in the TPM, gets used by WinRE during recovery operations. Ars Technica explained that the recovery environment temporarily unlocks the drive but should lock it again. Something breaks that process.
Reverse engineering points to a debug feature. One analysis found a flag called “FailRelock” in every Windows 11 recovery image. Set it to 1 and the relock never happens. That code exists only in the recovery environment. Not in normal Windows boots. Microsoft apparently left an entire testing framework in production code.
The implications stretch far. BitLocker serves as mandatory protection across large parts of government and enterprise fleets. Laptops left in hotel rooms. Devices in repair shops. Stolen hardware. All now carry higher risk. And the exploit has already appeared in active attack campaigns, according to threat intelligence firm Huntress.
The Researcher’s Campaign Against Microsoft
Nightmare-Eclipse didn’t stumble onto this by accident. Their GitHub account shows a pattern. Previous work exposed issues in Microsoft Defender. Frustration with the company’s vulnerability handling seems to drive the disclosures. In one post the researcher described YellowKey as “one of the most insane discoveries I ever found.” They likened it to a backdoor because the vulnerable code lives exclusively in WinRE.
Forbes covered the broader context. The outlet reported that the same individual dropped both YellowKey and GreenPlasma within 24 hours of Patch Tuesday. GreenPlasma allows privilege escalation to SYSTEM via a flaw in Windows Collaborative Translation Framework, or CTFMON. Forbes quoted sources describing the researcher as disgruntled over how Microsoft Security Response Center handles reports.
Yet the technical details hold up. Independent testers reproduced the attack quickly. Security researcher Will Dormann confirmed the behavior on Mastodon. Others verified it works, though the CTRL key timing takes practice. Some claim a variant exists that defeats TPM-plus-PIN setups. No public code for that one yet.
The Hacker News dug into the mechanics. Their article outlined the exact steps: copy the files, boot to recovery, trigger the shell. It affects Windows 11 and Windows Server 2022 and 2025. The Hacker News emphasized that the bug sits inside a framework meant to fix unbootable systems. Attackers abuse that recovery path to avoid normal boot protections.
Bleeping Computer added more color. The publication reported that the researcher published PoC code for both flaws on GitHub. YellowKey’s repository contains the necessary files and instructions. Early tests succeeded even on systems with BitLocker enabled by default. Bleeping Computer noted that Microsoft had not issued a statement at the time of publication.
So what now? Microsoft says it is investigating. Enterprises can’t wait. Recommendations circulate quickly. Enable a PIN or password at boot. That raises the bar. Disable WinRE where possible, though that carries operational costs. Some suggest moving to third-party encryption tools for sensitive data. Veracrypt receives frequent mentions in discussion threads.
Trend Micro published an alert. The company warned that both vulnerabilities threaten system integrity and data confidentiality. Their advisory urges organizations to assess exposure immediately. Trend Micro highlighted that the PoCs are public and already seeing use.
ThreatLocker took a broader view. Their analysis argued that the episode shows limits of trusting native Windows security features alone. YellowKey reveals how assumptions about physical access protections can crumble when recovery code contains overlooked debug paths. ThreatLocker advised layering controls and monitoring for unusual recovery boots.
Recent X discussions show security teams scrambling. Some posts confirm successful reproduction in lab environments. Others report sightings in real intrusions, including one claim tied to a Foxconn factory incident. Microsoft has yet to assign CVEs or release mitigation guidance beyond investigation status.
The discovery lands at a tense time. Organizations increasingly depend on hardware-rooted encryption for compliance. TPM chips promised stronger guarantees. This attack shows those guarantees weaken when recovery mechanisms introduce their own attack surface. Physical access has always mattered. Now the bar sits lower.
Security professionals have long debated BitLocker’s strength. Many paired it with additional factors. The default TPM-only path always carried theoretical risks of key extraction. YellowKey makes that practical and silent. No hardware tampering. No specialized equipment. A USB drive and reboot suffice.
Microsoft faces pressure to respond. Patching WinRE without breaking recovery functions won’t prove simple. Any fix must reach millions of managed devices. In the meantime, defenders adjust configurations. They audit recovery partition integrity. They train staff on physical security.
One detail keeps resurfacing in technical breakdowns. The FailRelock flag. Its presence suggests the behavior once served testing purposes. Somehow it survived into shipping code. That kind of artifact appears in many complex systems. Here it carries outsized consequences.
YellowKey won’t end BitLocker’s usefulness. It does force a reckoning with assumptions. Default settings no longer deliver the protection many believed they did. Organizations that treat physical access as a minor risk must rethink priorities. The USB stick has become a more dangerous tool than before.
And the researcher shows no sign of stopping. Their GitHub hosts both exploits. Code sits in public view. Threat actors already test it. Enterprises that delay action invite trouble. The window for preparation narrows daily.
WebProNews is an iEntry Publication