The YellowKey zero-day exploit allows attackers with physical access to bypass default BitLocker encryption on Windows 11 by leveraging a custom FsTx folder and transactional NTFS to manipulate the TPM-protected decryption process. The article does not provide a CVSS score, specific affected version ranges, a fixed version, or a recommended workaround.
A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive within seconds. The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM). BitLocker is a mandatory protection for many organizations, including those that contract with governments. When one disk volume manipulates another The core of the YellowKey exploit is a custom-made FsTx folder. Online documentation of this folder is hard to find. As explained later, the directory associated with the file fstx.dll appears to involve what Microsoft calls the transactional NTFS , which allows developers to have “transactional atomicity" for file operations in transactions with a single file, multiple files, or ones that span multiple sources. Read full article Comments