Windows 11 BitLocker Encryption Completely Bypassed by Unpatched Zero-Day Exploit

A fully functional exploit that bypasses Windows 11’s BitLocker encryption went public on 12 May, leaving millions of enterprise and government devices vulnerable to physical access attacks with no available patch.

The vulnerability, dubbed YellowKey, allows attackers with physical access to unlock BitLocker-protected drives in under five minutes using a USB drive or modified EFI partition. Published by researcher Nightmare-Eclipse alongside proof-of-concept code on GitHub, the exploit affects Windows 11, Windows Server 2022, and Windows Server 2025 — but not Windows 10. As of 15 May, Microsoft has acknowledged the issue but provided no patch timeline, according to The Hacker News.

Independent security researchers Kevin Beaumont, KevTheHermit, and Will Dormann confirmed the exploit works on fully patched Windows 11 builds. “I was able to reproduce [YellowKey] with a USB drive attached,” Dormann told BleepingComputer. “It looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE.”

How the exploit works

YellowKey exploits a component called FsTx — part of Windows’ Transactional NTFS subsystem — to manipulate boot configuration files across drives. The researcher demonstrated that this component, present in Windows Recovery Environment but with more limited functionality in standard Windows installations, can modify critical files on other volumes even when BitLocker is enabled, according to Bitdefender.

The exploit chain requires physical access and either a bootable USB drive or direct EFI partition modification. Once executed, it bypasses BitLocker protections by altering boot files that govern encryption handshake protocols. The researcher claims TPM+PIN configurations offer no protection: “No, TPM+PIN does not help, the issue is still exploitable regardless,” Nightmare-Eclipse stated in GitHub discussions.

A related BitLocker bypass technique, CVE-2025-48804, was patched in July 2025 but remains exploitable due to unrevoked PCA 2011 certificates that enable boot manager downgrade attacks. That vulnerability also permits encrypted drive access via certificate validation gaps, according to research from Intrinsec disclosed in early 2025.

Enterprise and government exposure

YellowKey poses immediate risks to organisations relying on BitLocker for compliance with FedRAMP, DoD security requirements, and data protection regulations. Physical access attacks — once considered lower priority due to environmental controls — become viable threat vectors in scenarios involving lost or stolen devices, supply chain interdiction, or insider threats with hardware access.

The disclosure occurred the same day as May Patch Tuesday, a timing that amplifies operational risk. Enterprise Security teams typically batch-test and deploy monthly patches over 7-14 day cycles. With YellowKey publicly exploitable and no patch available, organisations face a coverage gap with no technical mitigation beyond hardware-level controls like BIOS passwords or chassis intrusion detection — measures that were not designed to compensate for OS-level encryption failures.

A second zero-day released alongside YellowKey, GreenPlasma, exploits the Windows CTFMON service to enable arbitrary memory section creation for privilege escalation. While the researcher published incomplete proof-of-concept code for GreenPlasma, the combination of both vulnerabilities creates a potential attack chain: physical access via YellowKey followed by privilege escalation via GreenPlasma to establish persistence or exfiltrate credentials.

Researcher retaliation pattern

YellowKey marks the fifth zero-day Nightmare-Eclipse has disclosed in 2026. Previous releases include BlueHammer (CVE-2026-33825, patched in April), RedSun (April), and two Windows Defender exploits (2 and 15 April). The researcher has publicly stated that the disclosure pattern stems from disputes over how Microsoft handles vulnerability reports.

In GitHub comments accompanying the YellowKey release, the researcher suggested the vulnerability’s existence raises questions about intentional design: “I just never managed to understand why this vulnerability is sooo well hidden.” The researcher promised a “big surprise” for the next Patch Tuesday in June 2026, implying additional undisclosed vulnerabilities.

Microsoft responded with a standard statement: “We have a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible.” The company has not issued a CVE identifier for YellowKey or provided estimated remediation timelines.

What to watch

Microsoft’s response velocity will determine whether YellowKey becomes a widely exploited attack vector or a contained incident. If an out-of-band security update does not arrive before June Patch Tuesday (10 June), enterprises will face a 29-day exposure window from initial disclosure — sufficient time for nation-state APT groups to weaponise the exploit for targeted operations.

Cyber insurance underwriters are likely to scrutinise BitLocker-dependent security architectures in policy renewals, particularly for organisations with high-value data or regulatory obligations. Expect premium adjustments and coverage exclusions for physical access scenarios if Microsoft’s patch timeline extends beyond two weeks.

Monitor MSRC advisories and the researcher’s GitHub activity for additional disclosures. The promised June “surprise” suggests more critical vulnerabilities await public release, potentially targeting other core Windows security subsystems. Organisations should inventory hardware with physical access risk profiles and evaluate alternative full-disk encryption solutions — particularly for mobile devices and field-deployed systems where BitLocker represents the sole data protection layer.