Urgent: New Zero-Day Exploit Defeats Default Windows 11 BitLocker Protection
A newly discovered zero-day exploit, dubbed YellowKey, allows anyone with physical access to a Windows 11 system to bypass default BitLocker encryption and access all encrypted data within seconds, security researchers confirmed today.
The exploit was published earlier this week by a researcher using the alias Nightmare-Eclipse. It specifically targets the default configuration of BitLocker, Microsoft's full-volume encryption tool, which relies on a Trusted Platform Module (TPM) to store decryption keys securely.
"Anyone with a few minutes alone with a vulnerable machine can pull the decryption key directly from the TPM and unlock the drive," said Michael Goodwin, a senior security analyst at CyberGuard Solutions, who reviewed the exploit code. "This completely undermines the protection that BitLocker is supposed to provide in its default state."
Background: How BitLocker and TPM Work
BitLocker is a mandatory data protection feature for many organizations, including government contractors. It encrypts the entire drive so that data remains inaccessible without the correct decryption key.
By default, this key is stored in a TPM, a dedicated hardware chip designed to resist physical attacks. The assumption has been that even with physical access, an attacker cannot retrieve the key without the correct PIN or startup key.
YellowKey exploits a weakness in how Windows 11 handles the File System Transaction (TxF) mechanism, specifically a custom FsTx folder. This allows the attacker to manipulate the boot process and force the TPM to release the key without authentication.
How the YellowKey Exploit Works
The core of YellowKey is a specially crafted FsTx folder placed on the system drive. When the computer boots from a USB drive, this folder triggers a transactional NTFS operation that effectively bypasses BitLocker's pre-boot authentication.
"The exploit leverages transactional atomicity to alter the boot files in a way that the TPM sees a legitimate request," explained Nightmare-Eclipse in a technical log accompanying the release. "It's disturbingly simple and reliable."
Once executed, the attacker gains full, unencrypted access to the Windows 11 volume. No password, recovery key, or additional tools are needed beyond a bootable USB stick.
What This Means for Security Teams and Users
Organizations relying on default BitLocker encryption for laptops and portable devices are now at high risk from anyone with brief physical access—such as hotel staff, airport security, or thieves.
"This is a wake-up call for enterprises that assumed default BitLocker was sufficient," said Emily Tran, director of endpoint security at SecureWorks. "Even if the device is later returned, the attacker could have silently cloned all data."
Until Microsoft issues a patch, security experts recommend enabling additional protections: requiring a startup PIN or using a USB key for pre-boot authentication. These steps force an attacker to have both physical access and the PIN or key, significantly raising the bar.
Immediate Next Steps
- Disable automatic TPM-only unlock: Configure BitLocker to require a startup PIN or a USB startup key.
- Monitor for physical access: Ensure devices are never left unattended in untrusted environments.
- Apply Microsoft security updates: Watch for a fix; Windows Update should deliver a patch soon.
- Review incident response plans: Assume any stolen or temporarily accessed device may be compromised.
Microsoft has not yet released a statement on YellowKey. Cybersecurity experts urge organizations to treat this as an active threat and update their BitLocker configurations immediately.