BitLocker Falls to a USB Stick — and Nobody Can Explain Why

A USB stick. A held key. A command prompt with unrestricted access to every file on an encrypted Windows drive.

That’s the YellowKey exploit, published May 12 by a researcher using the alias Nightmare-Eclipse and independently confirmed by security researchers Kevin Beaumont and Will Dormann. It defeats the default configuration of BitLocker — Microsoft’s full-disk encryption — on Windows 11, Windows Server 2022, and Windows Server 2025. Windows 10 is unaffected. Nobody has explained why.

What the attack actually does

The steps are simple. Copy a custom folder called FsTx onto a USB drive. Plug it into a target machine. Reboot into the Windows Recovery Environment — accessible by holding Shift while clicking Restart — and hold the CTRL key. If the timing lines up, and testers say it sometimes takes a few attempts, a command prompt opens with full access to the encrypted volume. No recovery key required.

The attacker can read, copy, modify, or delete anything on the drive.

According to Will Dormann, principal vulnerability analyst at Tharros Labs, the exploit leverages NTFS transaction handling. During recovery boot, Windows searches for \System Volume Information\FsTx directories on attached drives and replays any NTFS logs it finds. The crafted folder deletes winpeshl.ini, which normally launches the recovery interface. Instead, the system drops to a bare command prompt — with the disk still unlocked.

The exploit doesn’t work on stolen drives removed from the original hardware, because the TPM still holds the keys. But for any device an attacker can physically reach, the default BitLocker configuration provides no protection. TPM-only mode — auto-unlocking the drive at boot for convenience — is standard on most consumer and many enterprise Windows 11 installations, including those mandated for government contractors.

A backdoor, or just a very strange bug

Nightmare-Eclipse doesn’t call this a vulnerability. The researcher calls it a backdoor.

The claim rests on one observation: the component responsible for the bypass exists inside the Windows Recovery Environment image and is not documented anywhere. A file with the same name exists in standard Windows installations but lacks the bypass functionality. The researcher wrote: “I just can’t come up with an explanation beside the fact that this was intentional.”

It’s an extraordinary claim, and nobody — including Microsoft — has confirmed or refuted it. Dormann traced the mechanism to NTFS transaction replay, not to a deliberately planted component. The difference between a poorly understood bug and an intentional backdoor is the difference between negligence and malice. The evidence doesn’t firmly support either conclusion.

Microsoft’s response, such as it is

A spokesperson told BleepingComputer the company has “a customer commitment to investigate reported security issues” and supports coordinated vulnerability disclosure. No CVE has been assigned. No patch timeline exists. Microsoft has not publicly acknowledged YellowKey by name.

The bug lives in the WinRE image, not the main operating system, making a fix more involved than a standard cumulative update. Previous WinRE updates required users to manually resize their recovery partitions. The patch path may not be straightforward.

The gaps that matter

Nobody outside Nightmare-Eclipse claims to understand the root cause. The researcher’s own blog concedes that “NO ONE has managed to figure out how YellowKey works” and that the real root cause remains unknown to the public.

The researcher also claims the exploit works against TPM+PIN configurations — a significantly more severe claim that has not been independently verified. The public proof-of-concept targets only TPM-only setups. If the TPM+PIN variant exists as described, it eliminates the primary mitigation security professionals are recommending.

Nightmare-Eclipse has been publishing Windows zero-days in rapid succession — BlueHammer and RedSun in April, YellowKey and a privilege escalation called GreenPlasma this month. Each disclosure arrives with increasingly hostile language toward Microsoft. The researcher claims the company violated an agreement and left them “homeless with nothing,” and has promised “a big surprise” for the next Patch Tuesday.

A researcher with a grievance, an unexplained vulnerability, and a track record of delivering on threats is a volatile combination.

What to do

Physical access control remains the only unambiguous mitigation. Keeping devices powered off when unattended, setting BIOS passwords, and preventing unauthorized USB connections all help.

Switching from TPM-only to TPM+PIN stops the publicly available exploit. But if Nightmare-Eclipse’s unverified claim about TPM+PIN is accurate, even that fails. Organizations running large Windows 11 fleets in TPM-only mode should treat their disk encryption as providing no barrier against a determined attacker with physical access until a patch ships.

The exploit is public. The root cause is a mystery. Microsoft is investigating. Those three facts, sitting side by side, are the story.

Sources

Zero-day exploit completely defeats default Windows 11 BitLocker protections — Ars Technica
YellowKey Bitlocker Bypass Vulnerability — GitHub
Windows BitLocker zero-day gives access to protected drives, PoC released — BleepingComputer
A new Windows 11 BitLocker bypass only needs a USB stick, and the researcher thinks it’s a backdoor — Tom’s Hardware
Vengeful researcher drops Microsoft zero-days for a third time: “It will never stop” — Cybernews

Discussion (9)

Plexed

so basically windows encryption is useless lol

3 ↑

Diane

How does Microsoft not have a CVE for this yet? The exploit is public and has been for days. What exactly are they "investigating"? Whether they put it there on purpose??

19 ↑

bluecoat99

Physical access = game over. Always has been. Lock your stuff up and set a BIOS password. This isn't complicated.

7 ↑

trucknuts_magnus

Nightmare-Eclipse says Microsoft left them HOMELESS and now they're dropping zero-days like a one man revenge arc and people are debating whether it's a bug?? Of COURSE it's a backdoor. Microsoft has been in bed with three letter agencies since the 90s. This was intentional and they'll bury it just like they bury everything else. Wake up.

11 ↑

definitely_not_a_bot

That trucknuts guy's comment reads like it was written by ChatGPT trying to sound like a conspiracy theorist. Nobody naturally strings together that many cliches. Just saying.

14 ↑

mikael_s

So Windows 10 is affected by this too right? I'm glad I held off on upgrading. This is exactly why I don't trust forced updates.

2 ↑

catherine_w

The part nobody's talking about enough is the TPM+PIN claim. If that's real, the mitigation every security person is recommending right now does nothing. We could be telling people to enable PINs for literally no reason. And nobody can verify it because nobody understands the root cause. This is a mess.

23 ↑

rj_mercer

It's unverified though. One researcher making a claim with no proof yet. I'd hold off on the panic until someone else confirms it.

6 ↑

JennyFromDaBlock

I just enabled BitLocker on my work laptop last week because IT made me and now I'm reading this. Awesome. Can't wait to explain to my boss that the encryption they mandated might not actually do anything. Love that for me.

9 ↑