https://www.itnews.com.au/news/usb-stick-opens-windows-bitlocker-drives-in-new-zero-day-625859
A newly published zero-day vulnerability dubbed YellowKey allows an attacker with physical access to a Windows device to completely bypass BitLocker disk encryption using nothing more than a specially prepared USB stick. The exploit, published by a security researcher known as Nightmare-Eclipse, works against Windows 11 as well as Windows Server 2022 and 2025. By copying specific file system transaction logs onto a USB drive and rebooting the target machine into the Windows Recovery Environment, an attacker can cause Windows to delete a critical startup file, which causes the system to fall back to an unprotected command prompt while BitLocker silently decrypts the protected drive — granting full file system access without any credentials required.
What makes YellowKey particularly alarming is what lies beneath the surface of the exploit. The security researcher identified that the underlying mechanism, Windows replaying NTFS transaction logs from an external USB drive and applying them to a separate volume, may represent a deeper architectural flaw in how Windows handles file system recovery, one whose full scope is not yet understood. The researcher has also hinted at a variant of the exploit that can bypass TPM PIN protection, though they have declined to publish those details publicly. Alongside YellowKey, Nightmare-Eclipse also released partial details for a second vulnerability called GreenPlasma, a privilege escalation flaw affecting the same versions of Windows, signalling that further damaging disclosures may be on the way.
The researcher claims the decision to go public without prior disclosure to Microsoft stems from a previous negative experience with the company’s Security Response Centre, which they allege dismissed an earlier responsibly disclosed vulnerability. For Australian government agencies, enterprises, and any organisation that relies on BitLocker to protect sensitive data on laptops and servers, including those handling classified, financial, or health information, this vulnerability is a serious concern. While physical access is required to execute the attack, the risk to lost or stolen devices, shared workspaces, and supply chain scenarios is very real, and organisations should monitor closely for any guidance from Microsoft on patches or mitigations.