Microsoft BitLocker – YellowKey zero-day exploit

Security researcher Chaotic Eclipse has publicly disclosed a zero-day exploit, named YellowKey, that allows full access to BitLocker-encrypted drives by simply copying files to a USB device and rebooting into Windows Recovery Environment, raising urgent security concerns for millions of users worldwide.

The YellowKey exploit was demonstrated by Eclipse, who claims it works on Windows Server 2022 and 2025, but not on Windows 10. The attack involves copying specific files to a USB stick and rebooting the target machine into Windows Recovery, after which the attacker can access the encrypted drive without needing the encryption keys. The exploit leaves no trace, as the malicious files disappear after use, mimicking a backdoor mechanism.

Microsoft has not issued an official statement regarding YellowKey. The researcher, Eclipse, noted that the vulnerability appears to bypass TPM and PIN protections, even on full TPM setups. The exploit’s ease of triggering and its stealthy nature make it particularly dangerous for organizations and individuals relying on BitLocker for data security.

Why It Matters

This development is significant because BitLocker encrypts millions of devices globally, including corporate, government, and personal systems. The exploit undermines the trust in BitLocker’s security, especially since it can be executed with minimal technical skills and leaves no obvious traces. If exploited, sensitive data stored on encrypted drives could be accessed by unauthorized parties, potentially leading to data breaches or espionage.

Background

Chaotic Eclipse, known for releasing zero-day exploits after disputes with Microsoft’s security team, previously disclosed vulnerabilities such as BlueHammer and RedSun, which affected Windows Defender privileges. The YellowKey exploit adds to this record, highlighting ongoing tensions and the potential for malicious disclosure. Microsoft has patched BlueHammer and allegedly patched RedSun, but the details of those fixes remain undisclosed. The vulnerability’s existence underscores the ongoing challenge of securing encryption mechanisms against sophisticated attacks.

“This exploit demonstrates a backdoor-like vulnerability in BitLocker that can be triggered with just some files on a USB stick.”

— Chaotic Eclipse

“We are investigating the claims and will update our security advisories accordingly.”

— Microsoft spokesperson (unofficial)

What Remains Unclear

It is not yet confirmed whether Microsoft has developed or plans to develop a patch for YellowKey. The full technical details of the exploit and its potential variants remain undisclosed, and the scope of affected systems beyond Windows Server versions is still unclear.

What’s Next

Microsoft is expected to investigate the vulnerability and may release security updates or patches in upcoming Patch Tuesday cycles. Security researchers and organizations should monitor official advisories and consider implementing additional safeguards. Further technical disclosures from Eclipse or other researchers could clarify the full extent of the threat.

Key Questions

How does the YellowKey exploit work?

The exploit involves copying specific malicious files to a USB device and rebooting the target machine into Windows Recovery Environment, allowing access to the encrypted drive without the key.

Is my data at risk if I use BitLocker?

Potentially, yes. Especially if your system is vulnerable to this exploit and you do not have additional protections in place. Microsoft has not yet confirmed patches, so users should exercise caution.

Has Microsoft responded publicly to this exploit?

No official statement has been issued. The company is reportedly investigating the claims and may release updates after further analysis.

Does this exploit work on all Windows versions?

It is confirmed to work on Windows Server 2022 and 2025, but not on Windows 10. The scope of other versions remains uncertain.