YellowKey: New Unpatched Windows 11 BitLocker Bypass Lets a USB Stick Unlock Your Drive

A security researcher has publicly released working exploit code that defeats Windows 11's built-in BitLocker drive encryption using nothing more than a USB stick and a few keystrokes. The flaw, nicknamed YellowKey, is unpatched, affects Windows 11 and Windows Server 2022/2025 (Windows 10 is not affected), and has already been independently reproduced by multiple researchers. If your laptop is lost or stolen, the encryption you thought was protecting your files may not be.

What YellowKey actually does

A researcher operating under the alias Nightmare-Eclipse (also seen as Chaotic Eclipse) published a working proof-of-concept on May 12, 2026 that defeats Windows BitLocker drive encryption on Windows 11, Windows Server 2022, and Windows Server 2025. The exploit, dubbed YellowKey, needs only physical access to the device and a USB stick. No recovery key. No password. No expensive hardware.

The attack abuses the Windows Recovery Environment (WinRE), the built-in repair mode normally used to fix unbootable PCs. The attack abuses a code path inside the Windows Recovery Environment (WinRE) that replays NTFS log data from a folder called FsTx on an attached drive. When WinRE replays those logs it deletes the file that would normally lock down the recovery shell, and the next reboot drops the attacker into a command prompt with the BitLocker-protected drive already mounted and readable.

The researcher even notes that you don't strictly need the USB stick. If you can pull the disk out of the target machine for long enough to write the FsTx folder to the EFI system partition, then put the disk back in, the exploit still triggers. That bypasses the "no removable media" mitigation that some enterprise images apply.

Who is at risk

The PoC works against BitLocker in TPM-only mode, the default on most consumer machines. That means business laptops, work-from-home machines, and anything a small business handed to an employee with default settings. The publicly released YellowKey tool targets the default BitLocker configuration most Windows 11 business laptops ship with — TPM-only, no pre-boot authentication, transparent unlock on boot.

It is worth noting that testing YellowKey with a BitLocker-protected drive must be performed on the original device, where the TPM stores the encryption keys. As such, Chaotic Eclypse's current YellowKey exploit does not work with stolen drives but allows access to disks that are protected with TPM-only BitLocker without needing credentials. Translation: someone who steals just your hard drive can't use this, but someone who steals or borrows your whole laptop can.

The researcher claims the same flaw also works against TPM+PIN but has declined to publish that version, saying "what's out there is already bad enough." If your laptop runs Windows 10, you're not affected by this specific bypass — but Windows 10 is also no longer getting free security updates, which is its own problem if you're still running it and want our Windows PC repair shop to keep it healthy.

Is this really a backdoor?

The researcher believes so. Now why would I say this is a backdoor? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why? I just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.

Other researchers are skeptical of the backdoor claim but agree the exploit works. Several security researchers, including Kevin Beaumont, KevTheHermit, and Will Dormann, have tested the exploit and confirmed it works even against recent Windows 11 builds.

Microsoft has not, at the time of writing, issued a public acknowledgment of YellowKey or assigned a CVE. Microsoft provided the following statement when contacted: "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."

What to do right now

Until Microsoft ships a fix, the practical mitigations are:

1. **Add a BitLocker PIN.** Independent security researcher Kevin Beaumont confirmed that the YellowKey exploit is valid and agreed that BitLocker has a backdoor. He recommended using a BitLocker PIN and a BIOS password as a mitigation. A pre-boot PIN means the drive won't unlock automatically when WinRE starts. 2. **Set a BIOS/UEFI password** so an attacker can't easily change boot order or boot from external media. 3. **Don't leave laptops unattended in public** — coffee shops, hotel rooms, conference tables. This attack takes only a few minutes of physical access. 4. **Keep Windows Update on.** When Microsoft does patch this, you want the fix the day it ships. If your PC has been struggling with updates or running slow enough that you put them off, an SSD or memory upgrade usually fixes that faster than fighting the symptoms.

If your laptop has already been lost, stolen, or tampered with, assume the data on it is readable and act accordingly: change passwords, rotate any saved credentials, and notify your bank or employer. If the drive itself is damaged and you need files off it, drive recovery is a separate process from encryption — we can usually pull data off a failing disk even when Windows can't boot.

What This Means for York, PA

York-area customers who travel with a work laptop, leave a machine at a job site, or run a small business with employees on the road are the realistic risk population here. If you want help enabling a BitLocker PIN, setting a BIOS password, or auditing your laptop's encryption settings, walk in to York Computer Repair at 2069 Carlisle Rd or call 717-739-9675 — we can check your configuration in a few minutes.