Skip to content
Dispatch
Safety · May 15, 2026

Zero-day BitLocker bypass lets attackers with physical access decrypt Windows 11 drives instantly

Researchers confirm YellowKey exploit bypasses TPM-only BitLocker protection, raising questions about the security of transactional NTFS and default Windows 11 encryption deployments.

Trust65
HypeLow hype

1 source · cross-referenced

ShareXLinkedInEmail
TL;DR
  • A zero-day exploit named YellowKey allows attackers with physical access to Windows 11 systems to bypass default BitLocker encryption and access encrypted drives in seconds.
  • The exploit leverages a custom FsTx folder that manipulates Transactional NTFS behavior, enabling attackers to modify recovery environment controls on another volume.
  • Multiple security researchers including Kevin Beaumont and Will Dormann have independently verified the exploit works as documented.
  • Microsoft declined detailed comment but confirmed it is investigating the vulnerability.
  • The bypass only affects TPM-only BitLocker configurations; security professionals have long recommended requiring a PIN to retrieve TPM-stored decryption keys.

A zero-day vulnerability circulating online enables anyone with brief physical access to a Windows 11 system to completely bypass BitLocker encryption and gain full access to an encrypted drive. The exploit, designated YellowKey by its discoverer (using the alias Nightmare-Eclipse), was published earlier this week and has since been independently verified by multiple security researchers.

The attack works by placing a custom folder structure on a USB drive, then triggering Windows Recovery mode during boot. Normally, Windows Recovery would require a BitLocker recovery key to proceed. YellowKey manipulates Transactional NTFS—a file system feature designed to provide atomic transactions across file operations—to modify the recovery environment configuration on the target disk from another volume. This allows an attacker to obtain a command prompt with full drive access instead of the expected recovery interface.

Security researcher Will Dormann noted the attack exposes a broader architectural flaw: a specially-crafted FsTx directory on one volume can delete or modify files on a different volume when transactions are replayed during boot. This suggests a privilege escalation vulnerability in Transactional NTFS itself, independent of BitLocker's failure.

Microsoft has declined to provide technical details and stated only that it is investigating. The vulnerability affects Windows 11 deployments using BitLocker's default configuration, which stores decryption keys exclusively in the TPM (Trusted Platform Module). Security professionals have long considered this insufficient, recommending instead that a PIN be required before the TPM releases the key—a configuration that would prevent this attack.

The exploit's impact extends beyond individual users. BitLocker is mandatory security controls for many organizations, including those with government contracts. If the default encryption method provides minimal protection against local adversaries, the security posture of affected enterprises is substantially degraded.

Sources
  1. 01Ars TechnicaZero-day exploit completely defeats default Windows 11 BitLocker protections
Also on Safety

Stories may contain errors. Dispatch is assembled with AI assistance and curated by human editors; despite the trust-score filter, mistakes happen. We correct publicly — every article links to its revision history. Nothing here is financial, legal, or medical advice. Verify before relying on any claim.

© 2026 Dispatch. No ads. No sponsorships. No paid placement. Reader-supported via Ko-fi.

Built by a person who cares about honest AI news.