Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick — YellowKey zero-day exploit demonstrates an apparent backdoor

A security researcher has publicly demonstrated a zero-day exploit called YellowKey that allows full access to BitLocker-encrypted drives by copying specific files to a USB stick and rebooting into Windows Recovery Environment, raising urgent security concerns.

The exploit was disclosed by security researcher Chaotic Eclipse, who previously published exploits that affected Windows Defender. YellowKey works by placing malicious files on a USB device, which, when used to reboot a machine, grants access to the encrypted drive without needing the encryption key. The files used in the attack disappear after execution, making detection difficult.

This vulnerability affects Windows Server 2022 and Windows Server 2025, but not Windows 10, according to Eclipse. Microsoft has not yet issued an official patch or statement about YellowKey. The researcher claims that using a full TPM and PIN setup does not prevent the exploit, although this has not been independently verified.

Why It Matters

This development questions the security integrity of BitLocker encryption, which protects millions of devices worldwide, including many in corporate and government environments. The exploit’s ability to bypass encryption with minimal effort could lead to data breaches, loss of sensitive information, and increased risks of theft or espionage.

The fact that the exploit leaves no trace on the USB device and can be triggered with simple files makes detection and prevention particularly challenging, heightening the urgency for Microsoft to respond.

Background

Last month, security researcher Chaotic Eclipse disclosed two zero-day exploits, BlueHammer and RedSun, which compromised Windows Defender privileges. Eclipse has now revealed YellowKey, a serious vulnerability affecting BitLocker encryption. The researcher has a history of publishing exploits after claims that Microsoft dismissed previous reports. The vulnerability’s existence underscores ongoing security challenges in Windows encryption and privilege management.

“YellowKey can be triggered simply by copying some files to a USB stick and rebooting to the Windows Recovery Environment. It bears all the hallmarks of a backdoor.”

— Chaotic Eclipse

“Using a full TPM-and-PIN setup doesn’t help, as we have a variant for that scenario, but we haven’t published a PoC yet.”

— Chaotic Eclipse

What Remains Unclear

It is not yet confirmed whether Microsoft is actively developing or testing a patch for YellowKey. The full technical details of the exploit, including whether it affects all configurations or specific hardware setups, remain undisclosed. The effectiveness of existing security measures like TPM and PIN against this exploit is also still under investigation.

What’s Next

Microsoft is expected to evaluate the vulnerability and may release a security update or patch soon. Security researchers and affected organizations are advised to monitor official statements and implement additional safeguards until a fix is available. Further disclosures from the researcher or Microsoft could clarify the scope and mitigation strategies.

Key Questions

Can this exploit be prevented with existing security measures?

Current information suggests that using a full TPM and PIN setup does not fully prevent the YellowKey exploit, but details are still emerging. Microsoft has not officially confirmed mitigation steps.

Does this affect all versions of Windows?

No, according to the researcher, YellowKey affects Windows Server 2022 and Windows Server 2025, but not Windows 10. The impact on other versions remains unconfirmed.

Is this vulnerability already patched?

As of now, Microsoft has not issued an official patch or statement regarding YellowKey. The researcher claims that Microsoft has silently patched related exploits, but confirmation is pending.

How serious is this vulnerability?

The vulnerability is considered highly serious because it allows full access to encrypted drives with minimal effort, bypassing standard protections and potentially exposing sensitive data.