New Zero-Day Exploit 'YellowKey' Bypasses Windows 11 BitLocker Encryption in Seconds

A recently discovered zero-day exploit, dubbed YellowKey, enables attackers with physical access to a Windows 11 system to completely bypass default BitLocker protections. Within seconds, they can gain full access to encrypted drives, undermining the security that organizations and government contractors rely on. Published by researcher Nightmare-Eclipse, YellowKey targets the default configuration of BitLocker when paired with a Trusted Platform Module (TPM).

Understanding BitLocker and TPM Protection

BitLocker is Microsoft's full-volume encryption feature, designed to protect data by rendering disk contents inaccessible without the proper decryption key. In standard Windows 11 deployments, this key is stored in a secure hardware component called a Trusted Platform Module (TPM). The TPM ensures that the encryption key is only released after verifying system integrity, such as during a normal boot sequence. This mechanism is meant to thwart offline attacks, even if an attacker gains physical possession of the device. However, YellowKey exposes a critical flaw in this default setup.

The YellowKey Exploit: How It Works

YellowKey relies on a custom-made FsTx folder—a directory that integrates with Windows’ transactional NTFS file system. The exploit manipulates file operations to trick the TPM into releasing the decryption key without proper authentication. By exploiting a zero-day vulnerability, an attacker with physical access can execute the exploit via a USB drive or through direct interaction with the system before the operating system fully loads. Once triggered, the exploit bypasses the usual PIN or password requirements, granting unrestricted access to encrypted data. The process is remarkably fast, taking only seconds, and does not require advanced technical skills beyond following the published steps.

Technical Details: The FsTx Folder and Transactional NTFS

Transactional NTFS Overview

Transactional NTFS (TxF) is a feature introduced in Windows Vista that allows developers to perform file operations as atomic transactions. This means that a series of writes or modifications either all succeed or all fail, preserving data consistency. The YellowKey exploit leverages a custom FsTx folder—a special directory associated with the fstx.dll system file. This folder appears to manipulate TxF in an unexpected way, possibly by creating a transaction that causes the TPM to behave erroneously.

How the Exploit Manipulates Transactions

The precise mechanism involves creating a transaction that targets the BitLocker encryption key storage. By doing so, the exploit effectively “short-circuits” the TPM’s validation process. When the TPM attempts to verify the system state before releasing the key, the exploit’s transaction overrides or bypasses these checks. The result is that the decryption key is exposed, and the entire volume becomes readable. Nightmare-Eclipse has not disclosed the exact code or steps, likely to prevent misuse, but the exploit has been verified by other security researchers.

Implications and Recommendations

This vulnerability primarily affects organizations that rely on BitLocker’s default TPM-only protection without additional authentication factors. For example, if a laptop is stolen while in sleep mode or if an attacker has brief physical access, YellowKey can compromise sensitive data. Government contractors and enterprises are particularly at risk.

Mitigation Steps

• Enable additional authentication: Configure BitLocker to require a PIN or USB key at startup, alongside TPM protection. This adds a second factor that the exploit cannot currently bypass.
• Apply Microsoft’s latest security updates: While no official patch for YellowKey has been released, staying current with Windows updates can reduce exposure.
• Physical security measures: Ensure devices are stored securely, and enable features like bitlocker pre-boot authentication to minimize physical attack windows.
• Monitor for suspicious activity: Look for unusual FsTx folders or transactions in system logs.

Conclusion

YellowKey represents a serious but targeted threat to Windows 11 BitLocker deployments. While the exploit requires physical access, its speed and reliability make it a dangerous tool for attackers in close proximity. Organizations should immediately assess their BitLocker configurations and consider implementing layered authentication. Researchers continue to analyze the vulnerability, and a permanent fix from Microsoft is expected. Until then, vigilance and proactive security measures are essential.