Summary:

Security researcher Chaotic Eclipse (GitHub: Nightmare-Eclipse) publicly disclosed a working proof-of-concept BitLocker bypass named YellowKey on May 12, 2026. The technique abuses a hidden component within the Windows Recovery Environment (WinRE) and Transactional NTFS (TxF) log replay functionality to delete winpeshl.ini, the file responsible for controlling the WinRE shell. This forces WinRE to launch a cmd.exe prompt with unrestricted access to an already-unlocked BitLocker volume.

The attack requires only physical access to a target device and a prepared USB drive. No recovery key, BitLocker PIN, or user credentials are required. The technique has been independently validated by Kevin Beaumont, Will Dormann (Tharros Labs), and KevTheHermit. As of May 15, 2026, Microsoft has not issued a security advisory, CVE assignment, or software patch. Alongside YellowKey, the researcher also disclosed GreenPlasma, a separate CTFMON-based SYSTEM privilege escalation zero-day. The researcher has indicated that additional zero-day vulnerabilities may be disclosed during June 2026's Patch Tuesday if Microsoft does not respond.

Given the widespread use of TPM-only BitLocker deployments, organizations across the UAE and broader MENA region should implement interim mitigations immediately to reduce exposure.

Technical Description:

YellowKey exploits a component exclusive to WinRE that processes Transactional NTFS (TxF) log files located within the System Volume Information\FsTx directory. When WinRE starts, this hidden component automatically replays TxF transaction logs from any attached storage device, including removable USB media.

A critical weakness exists in the replay mechanism, allowing crafted transaction logs to delete files located on other mounted volumes, including the WinRE X: drive. By placing specially crafted FsTx logs on a USB device or EFI partition, an attacker can force WinRE to delete winpeshl.ini from the X: drive. Once removed, WinRE automatically falls back to launching cmd.exe instead of the standard recovery interface.

Because the TPM has already authenticated the system and released the BitLocker encryption key during the normal boot sequence, the encrypted volume is mounted and fully accessible before the shell is spawned.

Will Dormann of Tharros Labs independently confirmed that YellowKey combines NTFS transaction replay with WinRE behavior to gain unrestricted access to the decrypted volume. While the same transaction processing component exists in standard Windows installations, the ability to perform cross-volume modifications appears unique to WinRE. This difference led the researcher to speculate that the functionality could represent an intentional backdoor, although no evidence supporting this claim has been publicly presented.

The researcher further claims that a separate bypass exists for TPM+PIN configurations but has not released details. Independent testing confirms that TPM+PIN successfully blocks the currently published YellowKey proof-of-concept.

The full exploitation chain is detailed below.

• The attacker prepares a USB device formatted with NTFS and copies the malicious FsTx directory structure into System Volume Information\FsTx exactly as documented in the publicly released YellowKey repository. Alternatively, the crafted files may be written directly to the target system’s EFI partition, eliminating the need for a USB device.
• The prepared USB device is connected to a Windows system protected by BitLocker. The attacker initiates a WinRE boot sequence by holding Shift while selecting Restart, then immediately releases Shift and continuously holds CTRL until a command prompt appears.
• During WinRE startup, the hidden TxF replay component processes the crafted transaction logs. These logs instruct WinRE to delete winpeshl.ini from the X: drive, preventing the recovery environment from launching its standard interface.
• Because winpeshl.ini is absent, WinRE automatically launches cmd.exe. The BitLocker volume is already mounted and accessible because TPM authentication has already released the encryption key during boot.
• The attacker gains unrestricted read and write access to the protected volume and can use tools such as DiskPart to access the entire file system. This access can be used to copy sensitive files, harvest credentials and private keys, install persistent malware, modify operating system components, or create complete disk images for offline analysis.
• Kevin Beaumont independently confirmed the effectiveness of the technique and stated that the researcher’s findings demonstrate a practical bypass of BitLocker protections in TPM-only configurations.

Ease of Exploitation:

YellowKey has been independently validated by Kevin Beaumont, Will Dormann, and KevTheHermit against Windows 11 build 10.0.26100.1.

The attack requires only physical access to the target device and a prepared USB drive. The complete exploitation process is publicly documented and includes detailed step-by-step instructions, significantly lowering the technical barrier to entry. No advanced exploitation knowledge, credentials, or cryptographic recovery operations are required.

As no Microsoft patch, advisory, or mitigation update currently exists, systems relying solely on TPM-based BitLocker authentication remain exposed. The researcher has also announced plans to disclose additional zero-day vulnerabilities during June 2026 Patch Tuesday if remediation efforts are not addressed.

Conclusion:

YellowKey represents a significant challenge to the security assumptions surrounding TPM-only BitLocker deployments. By abusing WinRE transaction replay functionality, an attacker with physical access can bypass full-disk encryption protections without requiring recovery keys, credentials, or privileged access.

The attack is publicly documented, independently validated by multiple security researchers, and currently remains unpatched. Because the technique exploits legitimate operating system functionality rather than traditional malware or exploit chains, conventional endpoint protections may provide little visibility during execution.

Until Microsoft releases official remediation guidance, organizations should prioritize enforcing TPM+PIN authentication, limiting physical access to systems containing sensitive data, and evaluating whether WinRE can be disabled within operational requirements. These interim measures provide the most effective protection against currently known exploitation techniques.

Impact:

Successful exploitation of YellowKey provides an attacker with cmd.exe running against a fully unlocked BitLocker-protected volume, granting unrestricted read and write access to all stored data.

Sensitive documents, credentials, certificates, private keys, browser profiles, source code repositories, databases, and corporate intellectual property become immediately accessible. Attackers may copy data, modify operating system files, install persistent malware, create unauthorized accounts, or prepare the system for future compromise.

The risk extends beyond data exposure, as attackers can establish persistence mechanisms that survive subsequent normal boots and maintain access after the device returns to regular operation.

For organizations across the UAE and broader MENA region, compromise of endpoints containing regulated or personal information may trigger obligations under the UAE Personal Data Protection Law (PDPL), National Cybersecurity Authority Essential Cybersecurity Controls (NCA ECC), and other applicable sector-specific reporting requirements. The resulting operational, regulatory, financial, and reputational impacts may be significant.

IOC and Context Details:

Recommended Actions:

• Enforce TPM+PIN authentication for BitLocker-protected Windows 11 systems handling sensitive or regulated data through Group Policy settings under BitLocker Drive Encryption policies.
• Disable WinRE on systems where recovery functionality is not operationally required by executing reagentc /disable, following an assessment of recovery and support implications.
• Strengthen physical security controls for all Windows 11, Windows Server 2022, and Windows Server 2025 devices, including secure storage, chassis protection, controlled access environments, and strict device handling procedures.
• Use Intune, Group Policy, or centralized management platforms to identify systems configured with TPM-only BitLocker protection and prioritize migration to TPM+PIN authentication.
• Continuously monitor Microsoft Security Response Center (MSRC) communications for updates, advisories, or patches related to YellowKey and deploy future security updates immediately upon release.
• Review physical and remote console access controls for Windows Server environments, including iDRAC, iLO, IPMI, and other management interfaces that may provide physical-equivalent access.
• Track developments related to the companion GreenPlasma disclosure and monitor threat intelligence sources for additional exploit releases or operational weaponization activity.
• Maintain verified offline backups of critical information and regularly validate recovery procedures to ensure resilience against data theft, destructive actions, ransomware deployment, or unauthorized system modification.

Reference:

https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html

https://github.com/Nightmare-Eclipse/YellowKey