A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive within seconds, a threat described in Ars Technica as YellowKey. The exploit was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse, and it reliably bypasses default Windows 11 deployments of BitLocker, which stores decryption keys in a TPM.
The core of the bypass involves a custom FsTx folder linked to transactional NTFS, with steps that include using a USB drive to trigger a Windows Recovery flow and then obtaining a CMD[.]EXE prompt with full drive access, bypassing the need for a BitLocker recovery key. Multiple researchers, including Kevin Beaumont and Will Dormann, have confirmed the exploit works as described, and a Microsoft representative declined to answer questions beyond saying the company is investigating according to Microsoft.
At present, BitLocker on Windows 11 isn’t providing the protection it’s supposed to, and the bypass works only in the TPM-only configuration of BitLocker that stores keys in the TPM, a setup many organisations employ.