{"id":335189,"date":"2026-05-15T15:01:47","date_gmt":"2026-05-15T09:31:47","guid":{"rendered":"https:\/\/ebiztoday.news\/?p=335189"},"modified":"2026-05-15T15:01:47","modified_gmt":"2026-05-15T09:31:47","slug":"zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections","status":"publish","type":"post","link":"https:\/\/ebiztoday.news\/index.php\/2026\/05\/15\/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections\/","title":{"rendered":"Zero-day exploit completely defeats default Windows 11 BitLocker protections"},"content":{"rendered":"<div>\n<p>A zero-day exploit circulating online allows individuals with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive inside seconds.<\/p>\n<p>The exploit, named YellowKey, was <a href=\"https:\/\/github.com\/Nightmare-Eclipse\/YellowKey\">published<\/a> earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware often known as a trusted platform module (TPM). BitLocker is a compulsory protection for a lot of organizations, including those who contract with governments.<\/p>\n<h2>When one disk volume manipulates one other<\/h2>\n<p>The core of the YellowKey exploit is a custom-made FsTx folder. Online documentation of this folder is difficult to search out. As explained later, the directory related to the file fstx.dll appears to involve what Microsoft calls the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/fileio\/deprecation-of-txf\">transactional NTFS<\/a>, which allows developers to have \u201ctransactional atomicity\u201d for file operations in transactions with a single file, multiple files, or ones that span multiple sources.<\/p>\n<p>The steps for carrying out the bypass are easy:<\/p>\n<ol>\n<li>Copy the custom FsTx folder from the Nightmare-Eclipse exploit page to an NTFS- or FAT-formatted USB drive<\/li>\n<li>Connect the USB drive to the BitLocker-protected device<\/li>\n<li>Boot up the device and immediately press and hold down the [Ctrl] key<\/li>\n<li>Enter Windows recovery<\/li>\n<\/ol>\n<p>There are at the very least two ways to perform the third step. A method is in addition into Windows, hold down the [Shift] key, click on the facility icon, and click on restart. One other is to power on the device and restart it as soon as Windows starts booting.<\/p>\n<p>In either case, a command (CMD.EXE) prompt appears. The prompt has full access to the complete drive contents, allowing an attacker to repeat, modify, or delete them. In a standard Windows Recovery flow, the attacker would want to enter a BitLocker\u00a0recovery key. By some means, the YellowKey exploit bypasses this safeguard. Multiple researchers, including <a href=\"https:\/\/infosec.exchange\/@GossiTheDog@cyberplace.social\/116565662576692726\">Kevin Beaumont<\/a> and <a href=\"https:\/\/infosec.exchange\/@wdormann\/116565129854382214\">Will Dormann<\/a>, have confirmed the exploit works as described here.<\/p>\n<p>It\u2019s unclear what within the custom FsTx folder causes the bypass. Dormann said that it appears to be related to Transactional NTFS, which itself uses <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/introduction-to-the-common-log-file-system\">command-log file system<\/a> under the hood. Dormann further noted that by  the Windows fstx.dll, one will see code that explicitly looks for System Volume InformationFsTx within the FsTxFindSessions() function.\u201d<\/p>\n<\/p><\/div>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A zero-day exploit circulating online allows individuals with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive inside seconds. The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":335190,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[51755,1506,5938,8936,2592,22055,2379,19671],"class_list":["post-335189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-bitlocker","tag-completely","tag-default","tag-defeats","tag-exploit","tag-protections","tag-windows","tag-zeroday"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/335189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/comments?post=335189"}],"version-history":[{"count":2,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/335189\/revisions"}],"predecessor-version":[{"id":335192,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/335189\/revisions\/335192"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media\/335190"}],"wp:attachment":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media?parent=335189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/categories?post=335189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/tags?post=335189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}