BitLocker 'YellowKey' zero-day exploit

Security researcher Nightmare-Eclipse published a proof-of-concept exploit called YellowKey on GitHub on May 12, describing it as a BitLocker bypass that works through the Windows Recovery Environment, or WinRE. The repository says the exploit can unlock access to a BitLocker-protected volume after a reboot into WinRE with specially placed files and a held Ctrl key. (github.com) The same researcher also published a separate exploit called GreenPlasma, which several security outlets described as a Windows privilege-escalation flaw released alongside YellowKey. Microsoft had not posted a public advisory for YellowKey in its Security Update Guide as of May 17. (msrc.microsoft.com) ### How does YellowKey work, according to the public proof-of-concept? The GitHub README says YellowKey requires copying an “FsTx” folder to a path on a USB drive under `System Volume Information\FsTx`, then booting the target machine into WinRE. The instructions say a shell with “unrestricted access” to the BitLocker-protected volume will spawn if the reboot and key sequence are performed correctly. The README also says an attacker can place the files in the EFI partition instead of using external media. Microsoft’s WinRE documentation describes the recovery environment as a built-in framework used to troubleshoot and repair systems that cannot boot normally. (github.com) That matters because YellowKey, as published, does not claim to break BitLocker’s encryption directly; it claims to abuse behavior inside a trusted recovery component that runs before normal Windows startup. ### Which Windows versions are named as affected? The repository published by Nightmare-Eclipse says YellowKey affects Windows 11 and Windows Server 2022 and 2025, and says Windows 10 is not affected. (github.com) BleepingComputer and Ars Technica both reported the same version scope in their coverage of the proof-of-concept release. BleepingComputer reported that the exploit targets systems using BitLocker with TPM-based protection, and Ars Technica reported that the attack requires physical access to the device. Those reports align with the public instructions, which rely on rebooting the machine into recovery and interacting with the boot environment. (learn.microsoft.com) ### Does this bypass TPM-plus-PIN, or only TPM-only setups? The public material reviewed here does not clearly verify a bypass of TPM-plus-PIN configurations. (github.com) The GitHub README describes a BitLocker bypass through WinRE, but it does not spell out tested results for every BitLocker protector combination. BleepingComputer specifically described the issue as affecting TPM-based protection, and other coverage cited TPM-only systems as the clearest confirmed risk. Microsoft’s BitLocker recovery documentation says recovery can be triggered by changes to early boot components, TPM state, boot order and other pre-boot conditions. (bleepingcomputer.com) That documentation establishes that BitLocker’s protections depend in part on trusted boot and recovery paths, but it does not address YellowKey specifically. ### What is GreenPlasma, and is it part of the same attack? SecurityWeek and BleepingComputer reported that GreenPlasma was disclosed by the same researcher at the same time as YellowKey and described it as a separate Windows privilege-escalation flaw. (github.com) Those reports said GreenPlasma could be chained with other access methods, but they did not establish that YellowKey and GreenPlasma are a single combined exploit in Microsoft’s boot environment. The public evidence supports a narrower description: YellowKey is the BitLocker bypass PoC, and GreenPlasma is a separate disclosed flaw released in the same wave. (learn.microsoft.com) Any broader claim about a full “data-exfiltration chain” is an inference from third-party reporting, not something Microsoft has publicly confirmed. ### What can administrators do before a patch appears? Microsoft’s support pages say BitLocker recovery keys are central to regaining access when automatic unlock fails, and Microsoft Learn documents that WinRE can be enabled or disabled with system configuration tools. (securityweek.com) Third-party coverage of YellowKey has pointed administrators to reduce exposure by reviewing WinRE availability, tightening physical access controls and ensuring recovery material is backed up. The most concrete public next steps remain external to Microsoft. (securityweek.com) The YellowKey repository was still online on May 17, and Microsoft’s Security Update Guide did not show a clearly identified YellowKey entry at that time. (github.com) (support.microsoft.com)