Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick — YellowKey zero-day exploit demonstrates an apparent backdoor
Also, it's a twofer with the GreenPlasma zero-day local privilege escalation.
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
YellowKey bypasses BitLocker via WinRE USB FsTx files, exposing Windows 11 and Server 2022/2025 systems.
thehackernews.com
TLDR:
YellowKey can be triggered simply by merely copying some files to a USB stick and rebooting to the Windows Recovery Environment. We tested this ourselves, and sure enough, not only does it work, it bears all the hallmarks of a backdoor, down to the exploit's files disappearing from the USB stick after it's used once.
The process is dead simple: grab any USB stick, get write access to the "System Volume Information," and copy into it the "FsTx" folder and its contents. Shift+click Restart to get Windows to the recovery environment, but then switch to holding down the Control key and don't let go. The machine will reboot, and without asking any questions or showing any menus, will drop you in an elevated command line with full access to the formerly Bitlocked drive, without asking for any keys.
Eclipse notes that using a full TPM-and-PIN setup doesn't help, as apparently, they have a variant for that scenario that they haven't published a PoC for.
Here is the Good news: (?)
The system itself needs to be physically stolen. The drive cannot be taken and then moved to another computer and accessed with this method.
BleepingComputer notes the public YellowKey exploit must be used on the original device where the TPM holds the keys, not by simply removing the drive and decrypting it elsewhere
It is worth pointing out that this attack, is different from the bitlocker downgrade that was discovered slightly earlier, which patching with the new secure boot cert luckily fixes for that specific issue. Yellowkey however, has no fix yet.
BitLocker Downgrade Attack Uncovered
The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes."The principle is as follows: the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM," Intrinsec said.
"However, when a second WIM is added to the SDI with a modified blob table, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (controlled by the attacker). This second WIM contains a WinRE image infected with 'cmd.exe,' which executes with the decrypted BitLocker volume."
While fixes released by Microsoft in July 2025 plugged this security defect in July 2025, security researcher Cassius Garat said the problem lies in the fact that Secure Boot only verifies a binary's signing certificate, not its version. As a result, a vulnerable version of "bootmgfw.efi" that does not contain the patch and is signed with the trusted PCA 2011 certificate can be used to get around BitLocker safeguards.
It's worth noting that Microsoft plans to retire the old PCA 2011 certificates next month. "And as long as it is not revoked, even an old, vulnerable boot manager can be loaded without triggering an alert," Intrinsec noted. To pull off the attack, a bad actor needs to have physical access to the target machine.
GitHub - Nightmare-Eclipse/YellowKey: YellowKey Bitlocker Bypass Vulnerability
YellowKey Bitlocker Bypass Vulnerability. Contribute to Nightmare-Eclipse/YellowKey development by creating an account on GitHub.
github.com
GitHub - Nightmare-Eclipse/GreenPlasma: GreenPlasma Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability
GreenPlasma Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability - Nightmare-Eclipse/GreenPlasma
github.com
Last edited:
