YellowKey: Technical Analysis of a Potential BitLocker Recovery Attack

YellowKey: What Is Known So Far

On 12 May 2026, a security researcher operating under the GitHub account Nightmare-Eclipse published a repository named YellowKey. The repository describes a potential attack path against the BitLocker full-disk encryption protection in Windows 11, as well as in Windows Server 2022 and 2025. According to the repository, physical access to the device is required – either a prepared USB stick or direct access to the EFI partition is described as enabling access to the affected volume within the recovery context.

According to the README in the repository, the root cause lies in a component that is only active inside the Windows Recovery Environment (WinRE) and which reacts to a specific folder structure named FsTx inside the System Volume Information directory. The author explicitly describes this in the repository description as a “(potential) backdoor” and, in the acknowledgements, credits the Microsoft-internal teams MORSE, MSTIC and GHOST – an unusual note hinting at a conflict between the researcher and the vendor. This characterisation reflects solely the researcher's perspective; there is currently no credible evidence of an intentional backdoor.

Confirmation Status

At the time of publication of this article on 13 May 2026, there is no official confirmation from Microsoft and no CVE number for YellowKey. The information stems exclusively from the GitHub repository Nightmare-Eclipse/YellowKey and independent secondary analyses. Reproduction steps are described, but an official patch advisory is still outstanding.

The Attack Chain in Detail

The reproduction documented in the repository is surprisingly minimal. The attacker does not need exploit code in the classical sense, but merely a prepared directory structure and physical access. The decisive trick: the WinRE component apparently loads content from a path that would not be writable under normal Windows operation – but is perfectly writable on an external storage medium or the EFI partition.

Steps of the Attack

1A USB stick is formatted with NTFS (alternatively FAT32/exFAT) and provisioned with the FsTx folder structure under System Volume Information.
2The storage device is inserted into the BitLocker-protected target system.
3Pressing Shift+Restart causes the device to boot into the Windows Recovery Environment (WinRE).
4During the restart, the Ctrl key is held down – the WinRE component reportedly reacts to the FsTx structure and opens a shell.
5The resulting shell provides, according to the repository, extensive access within the recovery context to the affected volume – without knowledge of the recovery key or a PIN.

A second variant requires no external media at all: if the target system's hard disk is removed, the attacker can copy the FsTx structure directly onto the EFI System Partition (ESP). The ESP is not encrypted by BitLocker by default – it contains the bootloader and is accessible with write permissions to any live system. Once the disk is reinstalled, the vulnerability can be exploited without any additional hardware.

Abstract visualisation of a USB storage device as an attack vector against an encrypted system — Illustrative image: the attack requires physical access but no recovery key.

Prepared Directory Structure (excerpt)

USB stick (NTFS)
└── System Volume Information\
    └── FsTx\
        └── 95F62703B343F111A92A005056975458\
            └── [exploit-specific files]

EFI Partition (alternative)
└── \EFI\Microsoft\Boot\...
    └── analogous placement of the FsTx structure

Affected Systems and Prerequisites

The vulnerability is described as affecting only newer Windows versions. Based on current knowledge, Windows 10 does not appear to be affected, as the relevant WinRE component is shipped in a variant without the described functionality. The researcher interprets this distinction as an indication of deliberate introduction; independent verification has not been published.

System	Affected	Note
Windows 11 (all builds)	Yes	Primary target of the disclosure
Windows Server 2022	Yes	Same WinRE codebase
Windows Server 2025	Yes	Same WinRE codebase
Windows 10	No	Component lacks the critical functionality

Attack Prerequisite: Physical Access

YellowKey is not a remote exploit. The attacker requires physical access to the device – for at least the duration of a reboot. This shifts the threat model considerably towards stolen laptops, lost field devices, on-site hardware, and unattended workstations in open office environments. For devices that never leave company premises, the risk is lower but not zero.

Why This Finding Matters

BitLocker is widely treated, across many compliance frameworks, as a technically sufficient measure to protect data in the event of device loss (“data at rest”). A working bypass method undermines that assumption – with far-reaching consequences for how incidents such as the loss of a company laptop or a stolen field tablet are assessed.

Question Compliance Assumptions

NIS2- and DORA-relevant risk analyses often treat BitLocker as a sufficient protective measure. Organisations should consider whether existing assumptions about TPM-only protection models remain adequate – especially for mobile endpoints.

Review Incident Response

After device loss, data inaccessibility should not be assumed without verification. Notification obligations under GDPR Art. 33 should be actively reviewed on a case-by-case basis.

TPM-only Becomes Critical

Configurations without pre-boot authentication (TPM-only) are particularly exposed. A PIN or startup-key requirement significantly hinders attacks via the recovery environment.

Forensic Assessment Revisited

Existing FsTx structures on EFI partitions must henceforth be treated as an indicator of tampering attempts – even where no successful exploit has occurred.

Mitigations and Hardening

As long as no official patch is available from Microsoft, organisations should evaluate configuration and organisational measures. A key approach is hardening pre-boot authentication – this moves the attack point ahead of the recovery environment and significantly reduces the attack surface.

Layered security shields above a dark vault as a symbol for defense in depth — Defense in depth: combine TPM, PIN and physical safeguards.

Recommended Immediate Actions

Enable TPM + PIN: Use Group Policy (Computer Configuration → Administrative Templates → Windows Components → BitLocker) to enforce an additional PIN entry before boot.

Disable or harden WinRE: Where operationally feasible, the recovery environment can be restricted or disabled (reagentc /disable). Important: This measure can significantly impact Windows update-recovery processes and OEM support workflows. Validate in test environments first, perform a risk assessment – this is not a blanket recommendation for all environments.

Lock down boot order: Set a BIOS/UEFI password, disable USB boot and enforce Secure Boot in the firmware.

Physical safeguards: Chassis locks, tamper-evident seals and asset tracking for mobile devices.

PowerShell · Check BitLocker Configuration Status

# List current protectors
Get-BitLockerVolume | Select-Object MountPoint, ProtectionStatus, KeyProtector

# Check whether TPM-only or TPM+PIN is active
manage-bde -protectors -get C:

# Check WinRE status
reagentc /info

# Temporarily disable WinRE (caution: impacts updates)
reagentc /disable

Detection · Searching for FsTx Structures on Endpoints

# PowerShell: scan all volumes for suspicious FsTx paths
Get-PSDrive -PSProvider FileSystem | ForEach-Object {
  $path = Join-Path $_.Root 'System Volume Information\FsTx'
  if (Test-Path $path) {
    Write-Warning "Suspicious structure found: $path"
    Get-ChildItem -Force $path | Format-List FullName, Length, CreationTime
  }
}

Privileged Access as an Additional Layer

Even after a successful BitLocker bypass, the question remains what an attacker actually achieves with the decrypted volume. If domain admin credentials, local hashes or secrets are not stored in cleartext on the endpoint, the resulting damage is significantly reduced. A centrally secured Privileged Access Bridge cleanly separates administrative sessions from the endpoint device.

Context and Outlook

YellowKey is part of a dual disclosure – in the same timeframe, the same source published a local privilege escalation named GreenPlasma. Secondary sources report that the researcher previously disclosed exploits under the names BlueHammer and RedSun. The background appears to be a conflict with Microsoft over the handling of vulnerability reports – the disclosures therefore carry the character of a public escalation.

Two considerations emerge for those responsible in IT and security organisations: First, the threat model “an encrypted laptop is safe” should be re-examined in the light of this research. Second, pre-boot authentication and defense in depth remain important protection layers, even in a world with hardware-backed encryption. Organisations implementing NIS2 requirements may wish to explicitly evaluate BitLocker configurations against physical attack scenarios.

Sources and Further Reading

GitHub repository Nightmare-Eclipse/YellowKey (published 12 May 2026); independent analyses including at hetmehta.com and securityonline.info. As of editorial close (13 May 2026, 15:00 UTC), no official statement from Microsoft and no CVE assignment had been issued. The contents of this article will be updated as soon as Microsoft publishes a confirmation.