YellowKey Zero‑Day Bypasses Windows 11 BitLocker with Physical USB Access

Context BitLocker is Microsoft’s full‑volume encryption tool that relies on a trusted platform module (TPM) to protect the decryption key. By default, Windows 11 systems require the TPM to unlock the drive at boot, but the recovery environment can be triggered with a key combination. YellowKey abuses this recovery flow to bypass the BitLocker prompt.

Key Facts Researcher Nightmare‑Eclipse released the YellowKey exploit earlier this week. The exploit consists of a custom FsTx folder placed on an NTFS‑ or FAT‑formatted USB drive. When the USB is connected and the user holds the Ctrl key during boot (or uses Shift‑restart), a Windows Recovery command prompt appears with unrestricted access to the drive. Security experts Kevin Beaumont and Will Dormann have independently verified that the prompt provides full read, write, and delete capabilities without requesting a BitLocker recovery key.

What It Means The attack requires physical access, limiting its scope to environments where USB ports are exposed or devices are left unattended. However, any organization that relies solely on TPM‑only BitLocker protection is vulnerable to a quick data theft or sabotage. The exploit highlights a gap in the Windows recovery process that does not enforce BitLocker authentication before granting a command shell.

Mitigations - Disable USB boot in firmware/UEFI settings or restrict boot to internal drives only. - Enable BitLocker pre‑boot authentication with a PIN or startup key in addition to TPM (TPM+PIN). - Configure Group Policy to require a BitLocker recovery key before entering Windows Recovery Environment. - Turn off the ability to launch recovery via Shift‑restart or Ctrl‑hold during boot (available via BCDEdit or MDOP policies). - Monitor for unauthorized USB devices using endpoint detection and response (EDR) tools and alert on unexpected command‑prompt launches in recovery. - Apply Microsoft’s forthcoming security update once a CVE is assigned and patch is released.

Watch for Microsoft’s advisory on this zero‑day and any detection signatures that identify the custom FsTx folder or abnormal recovery‑mode access.