YellowKey Bypasses Windows 11 BitLocker With USB Folder and Held Key, Exposing TPM-Only Devices
Updated
Updated · XDA Developers · May 13
YellowKey Bypasses Windows 11 BitLocker With USB Folder and Held Key, Exposing TPM-Only Devices
8 articles · Updated · XDA Developers · May 13
Nightmare-Eclipse’s YellowKey proof of concept opens a command prompt with access to BitLocker-protected drives on Windows 11 and Server 2022/2025 by rebooting into WinRE and holding CTRL at the right moment.
The bypass targets BitLocker in TPM-only mode—the default on many consumer PCs—and independent testing reproduced it on Windows 11 build 10.0.26100.1; Windows 10 was reported unaffected.
A USB stick is enough to trigger the exploit, but the researcher said writing the same FsTx folder to the EFI partition also works, undercutting “no removable media” mitigations on some enterprise setups.
Nightmare-Eclipse called the WinRE-only component an intentional backdoor and said TPM+PIN may also be vulnerable, though that version was not released and the root cause remains publicly unexplained.
Microsoft had not publicly acknowledged the flaw or assigned a CVE as of publication, and with no confirmed mitigation beyond blocking physical access, organizations using TPM-only BitLocker are being urged to treat affected devices as effectively unencrypted.
Is Microsoft's monthly patch cycle obsolete against hackers who can weaponize flaws in just 24 hours?
With BitLocker encryption now bypassed, are fundamental Windows security features simply designed to fail?
How can companies defend against a hacker who turns security tools like Defender against themselves?
May 2026 Windows Zero-Day Emergency: YellowKey and GreenPlasma Exploits Reveal BitLocker Weaknesses and Microsoft’s Patch Gaps
Overview
In May 2026, security researcher Chaotic Eclipse (also known as Nightmare-Eclipse) publicly released exploit code for undocumented Windows vulnerabilities, including the critical YellowKey and GreenPlasma zero-days. This follows earlier disclosures like BlueHammer, which exploited Microsoft Defender and was only patched after public exposure. Microsoft has not responded to the latest threats, leaving users and organizations vulnerable and uncertain. Chaotic Eclipse has criticized Microsoft for silently patching issues like RedSun without transparency, highlighting ongoing tensions and a lack of clear guidance. As a result, the public faces immediate risks while waiting for official action.