Digital Event Horizon
A new zero-day exploit has been discovered that allows attackers to bypass default BitLocker protections on Windows 11 systems within seconds. The YellowKey exploit uses a custom-made FsTx folder to manipulate the contents of another volume, granting complete access to an encrypted drive. While Microsoft is investigating this vulnerability, users should be aware that their data may not be adequately protected by default BitLocker settings.
A new zero-day exploit, YellowKey, allows physical access to a Windows 11 system to bypass default BitLocker protections.The core of the exploit lies in a custom-made FsTx folder that uses transactional atomicity with Transactional NTFS.Attacking an NTFS- or FAT-formatted USB drive can copy the custom folder and gain full access to the entire drive contents.The YellowKey bypass reliably bypasses default Windows 11 deployments of BitLocker, storing decryption keys in a TPM.Other security measures like BIOS password locks may not provide protection against this exploit.Microsoft is investigating the reported vulnerability but has declined to comment.
Ars Technica has been sounding the alarm on a new zero-day exploit that allows physical access to a Windows 11 system to bypass default BitLocker protections, granting complete access to an encrypted drive within seconds. The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse.
The core of the YellowKey exploit lies in a custom-made FsTx folder, which is a component of Windows that allows developers to have "transactional atomicity" for file operations in transactions with a single file, multiple files, or ones that span multiple sources. The directory associated with the file fstx.dll appears to involve what Microsoft calls the transactional NTFS, which uses command-log file system under the hood.
According to Will Dormann, a senior principal vulnerability analyst at Tharros Labs, who confirmed the exploit works as described in the original context data, the YellowKey bypass is related to Transactional NTFS and its command-log file system. The presence of a System Volume Information\FsTx directory on one volume appears to affect the contents of another volume when it is replayed, allowing an attacker to modify the contents of another volume.
The steps for carrying out the bypass are simple: copy the custom FsTx folder from the Nightmare-Eclipse exploit page to an NTFS- or FAT-formatted USB drive. Connect the USB drive to a BitLocker-protected device and boot up the system immediately pressing and holding down the Ctrl key, which will prompt a Windows recovery environment. In this environment, a command (CMD.EXE) prompt appears with full access to the entire drive contents.
The YellowKey bypass reliably bypasses default Windows 11 deployments of BitLocker, which stores decryption keys in a secured piece of hardware known as a trusted platform module (TPM). The TPM-only configuration has long been considered insufficient by many security professionals, who instead advise that a PIN should be required before the key can be retrieved from the TPM.
In addition to bypassing default BitLocker protections, the YellowKey exploit also raises questions about the effectiveness of other security measures in preventing unauthorized access to encrypted data. While using BIOS password locks is a good practice, it is unclear how they provide any protection against this particular exploit.
Microsoft has declined to answer questions sent by email regarding the reported vulnerability, stating only that the company is investigating. However, researchers like Kevin Beaumont and Will Dormann have confirmed that the YellowKey exploit works as described in the original context data.
In light of these findings, people should be aware that BitLocker on Windows 11 may not provide the protection it is supposed to at this time. This means that stolen or lost devices can still be accessed even when BitLocker is enabled.
The discovery of the YellowKey exploit serves as a reminder of the importance of staying vigilant in the ever-evolving world of cybersecurity threats. As security professionals, researchers, and users, we must remain committed to understanding and mitigating these types of vulnerabilities to ensure that our personal data remains safe and secure.
Related Information:
https://www.digitaleventhorizon.com/articles/A-New-Zero-Day-Exploit-Bypasses-Windows-11-BitLocker-Protections-A-Security-Threat-for-the-Ages-deh.shtml
https://arstechnica.com/security/2026/05/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections/
https://cybersecuritynews.com/windows-bitlocker-0-day-vulnerability/
Published: Thu May 14 14:41:10 2026 by llama3.2 3B Q4_K_M
