YellowKey: The BitLocker Zero‑Day That Bypasses Disk Encryption via Windows Recovery Environment

Unlike remote exploits, YellowKey requires physical access to the device. An attacker must be able to reboot the system and interact with its boot or recovery environment.

Despite this limitation, the vulnerability is significant because many security models assume BitLocker encryption protects data if a device is stolen or temporarily seized.

How the YellowKey Exploit Works

Public proof‑of‑concept demonstrations show the attack leveraging behavior inside the Windows Recovery Environment, a built‑in system used for troubleshooting and repairing Windows installations.

At a high level, the exploit works as follows:

• The attacker prepares a USB drive or EFI partition containing specially crafted FsTx (Transactional NTFS) files.
• The target system is rebooted into Windows Recovery Environment (WinRE).
• When WinRE processes the malicious FsTx files during its recovery routines, the exploit triggers behavior that can spawn a shell with access to the system’s storage volume.
• Because of how the environment handles the filesystem state during recovery, the BitLocker‑protected volume may become accessible from that shell.

Reports describe this as effectively bypassing BitLocker’s protection during the recovery process, allowing access to data that should normally remain encrypted.

Why Physical‑Access Attacks Still Matter

Even though the vulnerability requires physical access, that scenario is common in real‑world incidents. Examples include:

• stolen or lost laptops
• temporarily seized devices (for example during travel or inspections)
• unattended workstations
• branch‑office or kiosk systems

Organizations that rely on TPM‑only BitLocker unlocking may be especially exposed because the system can automatically unlock the disk during boot without requiring user input.

Microsoft’s Recommended Mitigations

At the time the issue became public, Microsoft acknowledged the vulnerability but had not yet released a full patch. Instead, the company published mitigation guidance for administrators.

Key mitigation steps include:

1. Remove the autofstx.exe BootExecute entry

Administrators are advised to remove the autofstx.exe entry from the WinRE image’s BootExecute registry value. This prevents the Transactional NTFS replay behavior that the exploit relies on.

2. Enable BitLocker TPM + PIN

Microsoft recommends configuring BitLocker with TPM + PIN authentication instead of TPM‑only unlock. This requires a user‑provided PIN during boot and significantly reduces the chance that a physical attacker can access the disk.

3. Harden boot and recovery settings

Additional defense‑in‑depth measures include:

• disabling or restricting USB/external boot
• protecting UEFI/BIOS settings with strong administrator passwords
• ensuring Secure Boot remains enabled
• monitoring for changes to WinRE or boot configuration

These controls help reduce the likelihood that an attacker can reach the recovery environment required for the exploit.

The Researcher Behind YellowKey

The vulnerability was publicly disclosed by a security researcher using the aliases Chaotic Eclipse and Nightmare‑Eclipse, who released proof‑of‑concept exploit code describing the technique.

The disclosure was part of a broader series of Windows vulnerability reports attributed to the same researcher, including other zero‑day issues targeting Microsoft components.

Security experts often note that once proof‑of‑concept code becomes public, the barrier to exploitation decreases significantly, especially before vendors release patches.

What Organizations Should Monitor

Until a full patch is available, security teams should watch for signals that suggest attempted exploitation, such as:

• unexpected boots into Windows Recovery Environment
• changes to WinRE images or BootExecute settings
• modified boot order, EFI partitions, or Secure Boot configuration
• unauthorized USB boot attempts
• unexpected BitLocker protector or TPM configuration changes

Monitoring these indicators can help detect tampering with the recovery or boot process associated with this attack path.

The Bigger Lesson for Disk Encryption

YellowKey highlights an important security principle: full‑disk encryption alone cannot guarantee protection if attackers can manipulate the system’s boot or recovery chain.

Recovery environments, boot loaders, and firmware settings are part of the same trust boundary as the encryption mechanism itself. Weaknesses in any of these components can undermine the protection that disk encryption is meant to provide.

For organizations relying on BitLocker, combining encryption with pre‑boot authentication, firmware protections, and strict boot controls remains essential until Microsoft releases a complete fix for CVE‑2026‑45585.