TL;DR
A security researcher has demonstrated a zero-day exploit, YellowKey, that can open BitLocker-protected drives with just some files on a USB stick. The vulnerability affects Windows Server versions but not Windows 10, prompting security concerns worldwide.
A security researcher has demonstrated a zero-day exploit, named YellowKey, that allows full access to BitLocker-encrypted drives using only files copied onto a USB stick, bypassing encryption protections. This discovery raises urgent security concerns for millions of Windows users, including enterprises and governments, as it exposes a critical vulnerability in widely used data protection technology.
The exploit, disclosed by researcher Chaotic Eclipse, involves copying specific files to a USB device and rebooting into the Windows Recovery Environment. Once initiated, the exploit grants access to the encrypted drive without requiring the encryption key stored in the TPM, effectively bypassing BitLocker’s security. Eclipse confirmed that the exploit works on Windows Server 2022 and 2025, but not on Windows 10, and noted that the malicious files disappear after use, indicating a backdoor mechanism.
Microsoft has not yet issued an official response to the YellowKey vulnerability. The researcher claims the exploit is well-hidden and that using a full TPM-and-PIN setup does not mitigate the risk, suggesting that even more secure configurations are vulnerable. Additionally, Eclipse has disclosed that there are other exploits, such as GreenPlasma, which could grant system-level access through local privilege escalation, although a complete proof-of-concept has not yet been released.
Why It Matters
This development is significant because BitLocker encrypts millions of devices globally, including personal computers, enterprise workstations, and government systems. The ability to bypass encryption with a simple file-based method undermines the trust in BitLocker’s security, especially given the exploit’s stealthy nature. If exploited in the wild, it could lead to unauthorized data access, theft, or manipulation of sensitive information, impacting organizations and individuals alike.
64GB – Bootable USB Drive 3.2 for Windows 11/10 / 8.1/7, Install/Recovery, No TPM Required, Included Network Drives (WiFi & LAN),Supported UEFI and Legacy, Data Recovery, Repair Tool
Beginner watch video instruction ( image-7 ), tutorial for "how to boot from usb drive", Supported UEFI and…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
BitLocker has been a core component of Windows security since its introduction, designed to protect data by encrypting drives and relying on hardware-based keys stored in the TPM. Previous vulnerabilities have been patched over the years, but the recent disclosure by Eclipse marks a new and sophisticated attack vector. The researcher has previously released zero-day exploits targeting Windows Defender, which were reportedly dismissed or silently patched by Microsoft, raising questions about the company’s response to security disclosures.
“This exploit can be triggered by copying some files to a USB stick and rebooting into Windows Recovery, granting full access to the drive. It’s a backdoor, and the files disappear after use.”
— Chaotic Eclipse
“Using a TPM-and-PIN setup does not help; I have a variant for that scenario I haven’t published yet. This vulnerability is well-hidden, and I could have made a lot of money selling it, but I am against Microsoft.”
— Chaotic Eclipse
BitLocker encryption recovery software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
Microsoft has not yet issued an official statement regarding YellowKey or GreenPlasma. Details about the full scope of the vulnerability, especially in enterprise and server environments, remain unclear. It is also not confirmed whether patches are in development or if existing security measures can fully mitigate the exploit.
Yubico – Security Key NFC – Basic Compatibility – Multi-factor authentication (MFA) Security Key, Connect via USB-A or NFC, FIDO Certified
POWERFUL SECURITY KEY: The Security Key NFC is the essential physical passkey for protecting your digital life from…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Microsoft is expected to investigate the vulnerability and release security patches for affected Windows Server versions. Security researchers and organizations should monitor official updates and consider temporary mitigations. Further disclosures about GreenPlasma and other potential exploits are anticipated as investigations continue.
64GB – Bootable USB Drive 3.2 for Windows 11/10 / 8.1/7, Install/Recovery, No TPM Required, Included Network Drives (WiFi & LAN),Supported UEFI and Legacy, Data Recovery, Repair Tool
Beginner watch video instruction ( image-7 ), tutorial for "how to boot from usb drive", Supported UEFI and…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can this exploit be used against all Windows devices?
No, currently it is confirmed to work on Windows Server 2022 and 2025, but not on Windows 10. Its applicability to other versions remains unconfirmed.
Does this mean BitLocker is no longer secure?
The exploit challenges the assumption that BitLocker is invulnerable when used without additional protections. However, using full TPM-and-PIN configurations may mitigate the risk, though the researcher claims even that setup is vulnerable.
Will Microsoft patch this vulnerability?
Microsoft has not yet issued an official statement. It is expected that patches will be released for affected Windows Server versions, but details are still pending.
What should organizations do now?
Organizations should stay alert for official security updates, consider additional security measures, and monitor for suspicious activity related to drive access and recovery procedures.
