Ethical Hacking News
A new zero-day vulnerability has been discovered in Microsoft's BitLocker feature, allowing attackers to bypass encryption and gain access to sensitive data. Follow us for the latest updates on this developing story as more information becomes available.
YellowKey is a zero-day vulnerability in Microsoft's BitLocker feature that allows attackers to bypass security features. The vulnerability was discovered by Chaotic Eclipse, a well-known security researcher, and made publicly available online. YellowKey exploits a bug in the BitLocker feature's recovery mechanism, allowing an attacker to trigger a shell with unrestricted access. Users who rely on BitLocker to encrypt their data are at risk, as an attacker with physical access can potentially sidestep encryption and gain access to sensitive information. Mitigation steps recommended by Microsoft include mounting the WinRE image and modifying BootExecute values.
The cybersecurity landscape has taken a new turn, as a high-severity vulnerability has been discovered in Microsoft's BitLocker feature. YellowKey, as it is now known, is a zero-day flaw that allows an attacker to bypass the security features of BitLocker, granting them unrestricted access to encrypted data on systems running Windows 11 and Windows Server 2025.
The vulnerability was first reported by Chaotic Eclipse (aka Nightmare-Eclipse), a well-known security researcher, who publicly disclosed the issue. The proof of concept for YellowKey was made available online, which raised concerns among cybersecurity experts and users alike. Microsoft has since released a mitigation guide to help users address the risk posed by this vulnerability.
According to the researchers, YellowKey is an FsTx file-based attack that exploits a bug in the BitLocker feature's recovery mechanism. An attacker can place a specially crafted FsTx file on a USB drive or EFI partition and plug it into a target Windows system with BitLocker protections turned on. Upon rebooting into the Windows Recovery Environment (WinRE), the attacker can trigger a shell with unrestricted access by holding down the CTRL key.
This vulnerability has significant implications for users who rely on BitLocker to encrypt their data. An attacker with physical access to a system that is vulnerable to YellowKey could potentially sidestep the encryption feature and gain access to encrypted data, compromising sensitive information.
To mitigate this risk, Microsoft recommends the following steps:
1. Mount the WinRE image on each device.
2. Mount the system registry hive of the mounted WinRE image.
3. Modify BootExecute by removing "autofstx.exe" value from Session Manager's BootExecute REG_MULTI_SZ value.
4. Save and unload Registry hive.
5. Unmount and commit the updated WinRE image.
6. Reestablish BitLocker trust for WinRE.
Additionally, Microsoft suggests that users configure BitLocker on already encrypted devices with "TPM-only" protector by switching to "TPM+PIN" mode via PowerShell, the command line, or the control panel. This will require a PIN to decrypt the drive at startup, effectively backing YellowKey attacks.
On devices that are not encrypted, administrators are advised to enable the "Require additional authentication at startup" option via Microsoft Intune or Group Policies and ensure that "Configure TPM startup PIN" is set to "Require startup PIN with TPM."
The emergence of YellowKey highlights the importance of staying up-to-date with security patches and following best practices for encrypting sensitive data. As the threat landscape continues to evolve, it is essential for users and administrators to remain vigilant and proactive in addressing potential vulnerabilities.
In conclusion, the discovery of YellowKey serves as a reminder that even seemingly secure features like BitLocker are not immune to exploitation. By understanding the risks associated with this vulnerability and taking steps to mitigate them, users can help protect themselves against potential attacks and ensure the integrity of their sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/New-BitLocker-Bypass-Vulnerability-Exposed-A-Threat-to-Windows-Users-ehn.shtml
https://thehackernews.com/2026/05/microsoft-releases-mitigation-for.html
https://cybersecuritynews.com/windows-bitlocker-yellowkey-mitigation/
https://windowsreport.com/yellowkey-bitlocker-bypass-and-greenplasma-exploit-surface-for-windows-11/
https://thecodersblog.com/bitlockers-yellowkey-vulnerability-a-deep-dive-for-defenders/
Published: Wed May 20 05:47:26 2026 by llama3.2 3B Q4_K_M
