YellowKey Zero-Day Bypasses Windows 11 BitLocker Encryption in Seconds, Researchers Warn

A zero-day exploit circulating online allows attackers with physical access to a Windows 11 system to bypass default BitLocker protections and decrypt entire drives within seconds. The exploit, published by a researcher operating under the alias Nightmare-Eclipse, targets the default Windows 11 configuration of BitLocker, Microsoft's full-volume encryption designed to render disk contents inaccessible without the proper decryption key stored in a trusted platform module (TPM). The vulnerability poses significant risk to organizations where physical access to devices cannot be fully controlled, including government contractors and enterprises subject to mandatory BitLocker requirements.

The YellowKey exploit centers on a custom FsTx folder that manipulates transactional NTFS operations to circumvent BitLocker's default encryption safeguards. Documentation on this specific folder structure is extremely limited, complicating efforts to understand the full technical scope of the vulnerability. The attack exploits the relationship between disk volumes during specific transactional operations, allowing an attacker with brief physical access to bypass TPM-based key protection mechanisms that would otherwise secure the encryption keys. Researchers note that the exploit appears to work reliably against standard Windows 11 deployments, though the technical complexity of the attack may limit its scalability for mass exploitation.

Security professionals are assessing the practical implications for enterprise environments where device theft, insider threats, or law enforcement seizure scenarios represent plausible attack vectors. The exploit's reliance on physical access means remote attack scenarios remain unaffected, but organizations handling sensitive data should evaluate whether current BitLocker configurations provide adequate protection against adversaries capable of accessing hardware directly. Microsoft has not yet issued a patch or official guidance addressing the YellowKey exploit, and the security community is awaiting further details on potential mitigations or upcoming security updates.