TL;DR
A security researcher has disclosed a zero-day vulnerability, YellowKey, enabling full access to BitLocker-encrypted drives by copying specific files to a USB stick. The exploit works without keys and raises serious security concerns. Microsoft has not yet issued an official response.
A security researcher has revealed a zero-day exploit, YellowKey, that allows full access to BitLocker-encrypted drives by simply copying files to a USB stick and rebooting into Windows Recovery Environment, raising urgent security concerns for millions of users worldwide.
Chaotic Eclipse, known for uncovering critical vulnerabilities, posted details of YellowKey, a zero-day exploit that bypasses BitLocker encryption protections. The attack involves copying specific files onto a USB device, which, when used to reboot a targeted machine into Windows Recovery, grants full access to the encrypted drive. The exploit has been tested and confirmed to work on Windows Server 2022 and 2025, but not on Windows 10. The exploit’s files disappear after use, indicating a backdoor mechanism. Eclipse claims that using a full TPM and PIN setup does not mitigate the vulnerability, and that the exploit is well-hidden, with potential for widespread misuse. In addition, Eclipse disclosed another zero-day, GreenPlasma, which could enable local privilege escalation to system-level access, though its proof-of-concept remains incomplete. Microsoft has yet to officially respond to these disclosures, though patches for earlier exploits like BlueHammer have been released, and Eclipse suggests that Microsoft silently patched RedSun, another vulnerability he disclosed previously.
Why It Matters
This development is highly significant because it compromises the security of BitLocker, a widely used encryption technology protecting sensitive data across enterprise, government, and personal devices. The ability to bypass encryption with a simple USB device threatens data confidentiality and could facilitate theft or unauthorized access to highly sensitive information. The exploit’s ease of use and the fact that it can operate without the encryption keys stored in the TPM make it especially concerning for organizations relying on BitLocker for data security. The disclosure underscores the importance of ongoing security assessments and updates for encryption tools used globally.
64GB – Bootable USB Drive 3.2 for Windows 11/10 / 8.1/7, Install/Recovery, No TPM Required, Included Network Drives (WiFi & LAN),Supported UEFI and Legacy, Data Recovery, Repair Tool
- Video Tutorial Included: Guides on booting from USB
- Bootable USB 3.2 Drive: Supports Windows 11/10/8.1/7
- No TPM Needed: Compatible with latest Windows versions
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
BitLocker has been a core component of Windows security, especially since its default activation in Windows 11. Previous vulnerabilities and exploits have prompted patches, but the latest disclosures highlight persistent risks. Security researcher Chaotic Eclipse has a history of revealing zero-day flaws, often claiming that Microsoft dismisses or delays addressing critical issues. The recent disclosures follow a pattern of Eclipse releasing exploits that demonstrate significant security flaws, including BlueHammer and RedSun, which allowed privilege escalation and system access. The current vulnerabilities, YellowKey and GreenPlasma, add to this list, with YellowKey notably enabling access to encrypted drives without the need for keys, a development that could undermine trust in BitLocker’s security model.
“Using a full TPM-and-PIN setup doesn’t help, as we have a variant for that scenario which we haven’t published a PoC for.”
— Chaotic Eclipse
“I could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft.”
— Chaotic Eclipse
BitLocker encryption recovery tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is still unclear whether Microsoft has developed or deployed a comprehensive patch for YellowKey or GreenPlasma, as no official response has been issued. The full scope of the vulnerabilities, especially in enterprise environments with varying configurations, remains to be determined. Details about whether TPM and PIN setups are entirely ineffective are also not confirmed, and the potential for other undisclosed variants exists.
64GB – Bootable USB Drive 3.2 for Windows 11/10 / 8.1/7, Install/Recovery, No TPM Required, Included Network Drives (WiFi & LAN),Supported UEFI and Legacy, Data Recovery, Repair Tool
- Video Tutorial Included: Guides on booting from USB
- Bootable USB 3.2 Drive: Supports Windows 11/10/8.1/7
- No TPM Needed: Compatible with latest Windows versions
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Microsoft is expected to review these disclosures and potentially release security updates addressing YellowKey and GreenPlasma. Security professionals and organizations should monitor official advisories and consider enhancing physical security measures for devices with BitLocker encryption. Further research and testing are likely to follow, aiming to verify the full extent of the vulnerabilities and develop mitigations.
Kingston Ironkey Locker+ 50 32GB Encrypted USB Flash Drive | USB 3.2 Gen 1 | XTS-AES Protection | Multi-Password Security Options | Automatic Cloud Backup | Metal Casing | IKLP50/32GB,Silver
- Encryption Technology: XTS-AES with attack protection
- Security Options: Multi-password admin and user
- Cloud Backup: Automatic personal cloud backup
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How does the YellowKey exploit bypass BitLocker?
YellowKey involves copying specific files onto a USB stick, then rebooting into Windows Recovery to gain full access to the encrypted drive without needing the encryption keys.
Is my device vulnerable if I use a TPM and PIN setup?
According to the researcher, the exploit can bypass even full TPM and PIN configurations, though this claim has not been independently verified by Microsoft.
Has Microsoft issued any patches for these vulnerabilities?
Microsoft has patched earlier exploits like BlueHammer, and Eclipse claims that RedSun was silently patched, but no official updates or advisories have been confirmed regarding YellowKey or GreenPlasma.
What can organizations do to protect themselves now?
Organizations should enhance physical security, monitor for unusual USB activity, and stay alert for official security updates from Microsoft.
What is GreenPlasma and how dangerous is it?
GreenPlasma potentially allows an attacker to escalate privileges to system level by manipulating Windows processes, which could compromise entire servers or workstations, though its proof-of-concept is not yet complete.
