On affected Windows versions attackers can exploit NTFS replay, gaining full BitLocker drive access without access keys.
Security researcher Nightmare-Eclipse, also known as Chaotic Eclipse, has disclosed a critical zero-day vulnerability dubbed YellowKey that bypasses Microsoft BitLocker encryption on protected drives.
The exploit requires only physical access to the target device, a USB stick with specially crafted files, and a reboot into the Windows Recovery Environment (WinRE).
By holding the CTRL key during boot, an attacker triggers an NTFS transaction replay that deletes the recovery launcher configuration, dropping straight to an unlocked command prompt with full read-write access to the encrypted volume — no recovery key needed.
This vulnerability affects Windows 11, Windows Server 2022, and Windows Server 2025, but spares Windows 10. Independent tests by Tom’s Hardware have confirmed the reliability of disclosure: the exploit files self-delete from the USB after use, fueling suspicions of a deliberate backdoor in WinRE, as the vulnerable component behaves differently from its standard Windows counterpart.
Also, according to a Bleeping Computer report, Kevin Beaumont and Will Dormann of Tharros Labs have verified the technique, noting it abuses WinRE’s auto-unlock for TPM-stored keys during boot.
YellowKey stems from Eclipse’s frustration with Microsoft’s alleged dismissal of prior reports, following their April leaks of BlueHammer (CVE-2026-33825, now patched) and RedSun(silently fixed, per the researcher). They claim a TPM+PIN variant exists but withheld its proof-of-concept (PoC), insisting the public version already poses severe risks for laptops and servers. Eclipse had paired YellowKey with GreenPlasma, an incomplete PoC for a local privilege escalation via CTFMon’s arbitrary section creation, potentially granting SYSTEM access by tricking kernel drivers.
BitLocker, which is enabled by default on Windows 11 in millions of devices, now faces doubts despite TPM tying keys to hardware — stolen drives remain safe if removed, but on-device theft enables instant compromise.
Upon the news, Microsoft has not detailed patches, but has reaffirmed commitment to coordinate further disclosure. Experts urge the use of BIOS passwords and PINs as interim defenses, although Eclipse disputes their full efficacy. With PoCs going public on GitHub, urgency mounts ahead of Microsoft’s Patch Tuesdays.
