USB stick opens Windows BitLocker drives in new zero-day

An unnamed security researcher using the monikers "Nightmare-Eclipse" and "Chaotic Eclipse" has published a simple bypass for Microsoft's disk encryption technology BitLocker on Windows, using a memory stick with specially crafted files on it.

The researcher named the vulnerability YellowKey. It works against Windows 11 as well as Windows Server 2022 and 2025, and requires physical access to computers.

Exploiting YellowKey entails copying over a directory called FsTx inside a System Volume Information folder to a USB drive.

Next, an attacker would reboot the target computer with the USB drive inserted into the Windows Recovery Environment (WinRE).

Windows uses a file system feature called Transactional NTFS to replay operations, and picks up on the FsTx logs on the attached USB drive, principal vulnerability analyst Will Dormann of Tharros Labs wrote.

Transactional NTFS or TxF was introduced in the Windows Vista operating system that was released to consumers in 2007, but Microsoft has deemed the feature as too complex and likely to go away in the future.

The NTFS logs delete a winpeshl.ini file that controls which application WinRE launches on startup.

Without the .ini file, WinRE falls back on a command prompt window, with the BitLocker protected volume transparently decrypted by the Trusted Platform Module (TPM) chip, providing unrestricted file system access without any credentials being supplied.

Confirming the YellowKey exploit, Dormann observed that the FsTx log on the USB drive can, in fact, modify files on a separate volume, when replayed by WinRE.

He called this the "buried lede" and added, "To me, this in and of itself sounds like a vulnerability" as that behaviour is distinct from, and arguably more important than, the BitLocker bypass it enables.

The implication of this is that YellowKey may be exploiting a deeper flaw in how Windows handles cross-volume NTFS transaction replay during recovery, one whose boundaries and full consequences are not yet understood.

Dormann suggested that applying TPM authentication with a user supplied PIN mitigates against YellowKey, but Nightmare-Eclipse said it doesn't.

Nightmare-Eclipse said that there is a variant of the exploit that bypasses the additional PIN protection, but said "what's out there is already bad enough" and declined to published the exploit.

Together with YellowKey, the researcher also published partial details for a privilege escalation vulnerability for Windows 11 and Server 2022/2025 they named GreenPlasma, saying it can be turned into a full proof-of-concept "if you're smart enough".

The researcher has published earlier exploits such as BlueHammer (CVE-2026-33825) and RedSun, local privilege escalation exploits for Windows, both of which have been used in the wild by attackers.

Nightmare-Eclipse said they attempted responsible disclosure with BlueHammer, but that case was dismissed by the Microsoft Security Response Centre (MSRC).

Announcing YellowKey and GreenPlasma, the researcher wrote that "Microsoft has chosen to make this worst [sic] instead of resolving the situation like adults, they pulled every childish game possible," and warned that further disclosures were planned for the next Patch Tuesday.

The researcher also suggested YellowKey is an intentional backdoor.

"The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker [sic] bypass issue," they wrote.