Start a project

← All posts

YellowKey: A BitLocker Zero-Day That Only Needs a USB Stick

· Dracode · security · windows · developer-tools
A sleek USB-C security key resting on a dark textured surface

The Attack in Plain Terms

A security researcher going by Nightmare-Eclipse published a working proof-of-concept exploit on May 12–13, 2026 that bypasses Windows 11 BitLocker encryption using nothing more than a USB stick and physical access to the machine. The vulnerability is called YellowKey, it is unpatched, and Microsoft says it is still investigating.

The BitLocker zero-day does not involve guessing keys, cracking cryptography, or planting malware in advance. The attacker copies a specific folder structure to a USB drive, inserts it into the locked machine, boots into Windows Recovery Environment (WinRE) while holding CTRL, and receives a shell with unrestricted read and write access to the BitLocker-protected volume. Five minutes of physical access is enough.

Inside the BitLocker Zero-Day: WinRE’s Hidden Component

WinRE is the recovery partition built into every Windows 11 installation. It can unlock the OS drive to perform repairs — that is, by design, it needs disk access. The problem is a component called FsTx, which Nightmare-Eclipse describes as present inside the WinRE image but not documented publicly anywhere, and behaving differently there than in the normal Windows installation.

The attacker’s USB drive carries a FsTx folder dropped into \System Volume Information\FsTx. When the machine boots into WinRE and processes that path, the component spawns a shell that inherits WinRE’s drive access — which is full, unencrypted access to the BitLocker volume. No decryption key, no PIN, no TPM interaction required.

The researcher notes that the same component exists in standard Windows installations but without the problematic behavior. Whether that divergence is a bug or something more deliberate is an open question. Nightmare-Eclipse raises the possibility of intentional inclusion without committing to it.

GreenPlasma: The Companion Privilege Escalation

Alongside YellowKey, the researcher published GreenPlasma — a partial PoC for a privilege escalation through Windows CTFMON, a text input service. The vulnerability exploits CTFMON’s trust in certain paths, allowing an attacker to create arbitrary memory section objects in directory objects that SYSTEM can write to. With enough manipulation, that becomes a full SYSTEM shell.

GreenPlasma is confirmed on Windows 11, Server 2022, and Server 2026. The researcher withheld the completion step deliberately, framing it as a CTF challenge — so the full PoC is not public. The partial release is still useful as a detection fingerprint.

The two exploits pair naturally: YellowKey opens the disk, GreenPlasma escalates any code already running. An attacker with a few minutes of unsupervised physical access can exfiltrate data and persist across reboots.

A Researcher with a Pattern and a Grievance

This is not a random report. Nightmare-Eclipse has a track record of Windows vulnerability research: the YellowKey repository reached 2,500 stars and 537 forks within days of release. Other repositories — RedSun, BlueHammer, UnDefend — all target Windows components, and the account’s history references three Windows Defender zero-days that Microsoft reportedly declined to patch.

Publishing weaponized PoCs without a coordinated disclosure window is controversial in security circles. These releases sit squarely in that category: functional exploit code, no CVE, no patch. Microsoft has confirmed it is investigating but has not committed to a timeline.

The motivation matters because it predicts what comes next. Researchers who feel ignored by vendors tend to keep publishing. GreenPlasma’s missing final step is still out there somewhere.

What Defenders Can Do Now

BitLocker with default TPM-only configuration is the most common enterprise deployment, and it is the configuration YellowKey breaks. TPM-only mode unlocks the drive automatically on boot without requiring a PIN — which is exactly what WinRE does by design. The attack exploits that trust.

The mitigations are specific and available today:

  • Enable a BitLocker pre-boot PIN or USB startup key. This prevents WinRE from silently inheriting drive access. The Group Policy path is Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at startup.
  • Disable WinRE where it is not needed. On machines where recovery via WinRE is not operationally required, run reagentc /disable. This removes the attack surface entirely.
  • Lock BIOS/UEFI boot order. If an attacker cannot boot from USB, they cannot stage the exploit. Password-protect firmware settings and disable external boot devices.
  • Apply physical access controls. The attack requires unsupervised physical access. The threat model question is concrete: can an adversary walk up to this machine for five minutes?

None of these controls are new. They are exactly what BitLocker documentation recommends for high-security deployments, and exactly what most organizations skip because they add friction to daily use.

What We’re Watching

Microsoft has not patched this and has not assigned a CVE. The researcher has shown a clear pattern of publishing without waiting for vendor remediation. The most likely outcomes are a quiet fix in an upcoming Patch Tuesday, or the full GreenPlasma PoC appearing next.

For product teams shipping on Windows or managing Windows developer machines: the threat model for disk encryption just changed. A stolen or briefly unattended laptop with TPM-only BitLocker is now an open file system, with working exploit code on GitHub and 537 forks. If you are responsible for machines that touch customer data, credentials, or source code, a pre-boot PIN is no longer optional — it is the minimum viable control.

Security posture is a product decision. If you want help thinking through how your team’s physical and data security practices hold up, talk to us.

Sources

  1. YellowKey — BitLocker Bypass Vulnerability — Nightmare-Eclipse, GitHub, May 2026
  2. GreenPlasma — Windows CTFMON Elevation of Privileges — Nightmare-Eclipse, GitHub, May 2026
  3. Windows BitLocker zero-day gives access to protected drives, PoC released — BleepingComputer, May 13, 2026
  4. YellowKey Tool Bypasses Windows 11 BitLocker Using Only a USB Stick — Hot Hardware, May 14, 2026