BitLocker Bypassed: Researcher Drops “YellowKey” Zero-Day, Exposing Protected Drives with a USB Stick

BitLocker Bypassed: Researcher Drops “YellowKey” Zero-Day, Exposing Protected Drives with a USB Stick

A disgruntled security researcher has publicly released a working exploit that circumvents Microsoft’s BitLocker disk encryption on Windows 11 and Windows Server 2022/2025 — no password, no decryption key required.

A zero-day vulnerability capable of bypassing Microsoft’s BitLocker Full Disk Encryption has been publicly disclosed — along with working proof-of-concept code — by a pseudonymous security researcher operating under the aliases Chaotic Eclipse and Nightmare-Eclipse. The exploit, codenamed YellowKey, affects Windows 11 and Windows Server 2022 and 2025, and has been independently verified by multiple security professionals. Microsoft has not issued a patch or assigned a CVE as of the time of publication.

The disclosure marks the third wave of zero-day releases from the same researcher in 2026, following earlier exploits dubbed BlueHammer, RedSun, and UnDefend — several of which were rapidly weaponized in real-world attacks after being made public. Security firm Huntress has linked earlier exploits from this campaign to confirmed intrusions observed in April 2026.

How YellowKey Works

BitLocker is Microsoft’s built-in Full Disk Encryption technology, introduced in Windows Vista. It encrypts all data on the hard drive using the AES algorithm. Under normal circumstances, even with direct physical access to the storage hardware, data remains unreadable without the correct decryption key.

The YellowKey exploit does not break AES encryption itself. Instead, it abuses a design flaw in the Windows Recovery Environment (WinRE) — a trusted, built-in repair mode that Windows uses to troubleshoot boot failures. Because WinRE is considered a “trusted zone” by the Trusted Platform Module (TPM), the system can auto-decrypt the drive during recovery boot sequences. YellowKey exploits precisely this window.

Independent security researcher Kevin Beaumont confirmed the exploit works as described, going so far as to characterize the underlying bug as resembling a backdoor. Will Dormann, principal vulnerability analyst at Tharros Labs, verified the USB-based variant but was unable to reproduce the EFI partition variant of the attack.

TPM and PIN Protections May Not Be Enough

Modern Windows installations typically pair BitLocker with the TPM chip, enabling the drive to auto-unlock during startup without requiring the user to enter a PIN. This convenience is the configuration most at risk: because the device decrypts itself at boot time, an attacker who can force a recovery-environment boot can exploit that window.

More alarming still, Chaotic Eclipse has stated that a version of the exploit works even in a TPM + PIN configuration — the strongest standard BitLocker setup. However, proof-of-concept code for this variant has deliberately not been released. “I just never managed to understand why this vulnerability is so well hidden,” the researcher wrote. “No, TPM+PIN does not help. The issue is still exploitable regardless — I’m just not publishing the PoC. I think what’s out there is already bad enough.”

A Second Zero-Day: GreenPlasma

Alongside YellowKey, the researcher also disclosed a second vulnerability called GreenPlasma — a privilege escalation flaw targeting ctfmon.exe, the Windows Collaborative Translation Framework process (CTFMON) that runs as SYSTEM in every interactive session. By exploiting arbitrary memory section creation, an unprivileged user could potentially manipulate privileged services or kernel-mode drivers that implicitly trust certain memory paths.

The released proof-of-concept for GreenPlasma is intentionally incomplete and lacks the final component needed to achieve a full SYSTEM shell. The researcher framed this as a capture-the-flag challenge. Security analysts warn that even the partial disclosure provides meaningful technical groundwork for threat actors to build upon.

Context: A Disgruntled Researcher’s Campaign

This is not an isolated disclosure. The researcher — rumored in some circles to be a former Microsoft employee — began leaking Windows zero-days on April 2, 2026, claiming Microsoft had treated them unjustly. Previous releases (BlueHammer, RedSun, UnDefend) were subsequently observed being exploited in real-world intrusions within days of public release, according to Huntress threat intelligence data.

Microsoft has responded with a standard statement, affirming its commitment to investigating reported security issues and its support for coordinated vulnerability disclosure. However, the researcher maintains that prior reports were mishandled, a claim Microsoft has not directly addressed. Chaotic Eclipse has promised further disclosures timed to coincide with the next Patch Tuesday in June 2026.

Accuracy Assessment of Circulating Reports

Recommended Mitigations

No official patch is available. Security researchers recommend the following interim steps:

• Enable a BitLocker startup PIN in addition to TPM — this adds pre-boot authentication that must be entered before the drive unlocks.
• Set a BIOS/UEFI firmware password to prevent unauthorized boot device selection or WinRE access.
• Enforce physical security controls; the exploit requires hands-on access to the device.
• Restrict or monitor Windows Recovery Environment (WinRE) usage in enterprise environments via Group Policy.
• Review BitLocker configurations on high-sensitivity laptops and endpoints holding sensitive data.
• Monitor for suspicious WinRE invocations and USB insertion events in endpoint detection tools.
• Prepare incident-response playbooks for BitLocker bypass scenarios ahead of the June 2026 Patch Tuesday.

For GreenPlasma, no known mitigation exists at this time. Organizations should patch immediately when Microsoft addresses the issue.