Ars Technica Article
Zero-day exploit completely defeats default Windows 11 BitLocker protections
https://arstechnica.com/security/2026/05/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections/
Edited after translating portions of the content with Gemini 3 Flash.
A vulnerability has been discovered that allows anyone with physical access to a Windows 11 system to gain privileges over a BitLocker-encrypted drive.
A researcher using the pseudonym Nightmare-Eclipse discovered it and disclosed it early this week, and the vulnerability is named YellowKey.
The bypass procedure is as simple as follows.
Copy a custom FsTx folder from the Nightmare-Eclipse vulnerability page to a USB drive formatted as NTFS or FAT.
Connect the USB drive to the BitLocker-protected device.
Boot the device and immediately hold down the [Ctrl] key.
Enter Windows recovery mode.
There are at least 2 ways to proceed with step 3. One is to boot into Windows, then hold the [Shift] key, click the power icon, and click restart. Another way is to power on the device and restart immediately as soon as Windows boot starts.
In both cases, a command prompt (CMD[.]EXE) window appears. This prompt has complete access to the entire contents of the drive, so an attacker can copy, modify, or delete data. In a typical Windows recovery procedure, an attacker would need to enter a BitLocker recovery key, but the YellowKey vulnerability disclosed this time bypasses this procedure for some reason.
A Microsoft spokesperson refused to provide answers to questions sent via email about the vulnerability, only stating that the company is investigating.
Therefore, users should be aware that Windows 11's BitLocker is currently not providing the protection it was originally intended to provide. In other words, if a device is lost or stolen, this vulnerability could be used to access the data.
[Rest of content omitted]
Note: Interestingly, materials related to the component responsible for this bug cannot be found anywhere, including on the internet, which is why it has been described as backdoor-like.
https://github.com/Nightmare-Eclipse/YellowKey
Now why would I say this is a backdoor ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why ? I just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.