TL;DR
A security researcher has published a zero-day exploit named YellowKey that allows full access to BitLocker-encrypted drives. This development raises urgent security concerns about drive encryption trust. The exploit is confirmed to work on Windows Server 2022 and 2025, but not on Windows 10.
Security researcher Chaotic Eclipse has publicly disclosed a zero-day exploit, named YellowKey, that can bypass Microsoft BitLocker encryption, granting full access to locked drives. This exposes a critical vulnerability affecting millions of devices worldwide, including enterprise and government systems, and raises urgent security concerns.
YellowKey exploits a vulnerability that allows an attacker to gain unrestricted access to a BitLocker-encrypted drive by simply copying specific files to a USB stick and rebooting into Windows Recovery Environment. The attacker does not need the encryption keys, as the exploit leverages a flaw in the drive unlocking process. The researcher tested the exploit on Windows Server 2022 and 2025, confirming its effectiveness, but it does not work on Windows 10. After execution, the exploit files disappear from the USB device, indicating a backdoor-like behavior.
Chaotic Eclipse, known for previous disclosures of zero-day exploits, claims that this vulnerability is highly concealed and that it could have been sold for significant monetary gain but was instead released to expose the security flaw. The exploit reportedly remains unpatched by Microsoft, with the company yet to issue an official response. The researcher also indicated that a variant capable of bypassing TPM-and-PIN security setups exists but has not been publicly demonstrated.
Why It Matters
This vulnerability undermines the core security guarantee of BitLocker encryption, which is widely used to protect sensitive data across personal, corporate, and government devices. The ability to bypass encryption with a simple USB-based attack poses a severe threat, especially for laptops and portable devices that are physically accessible to attackers. The exploit’s potential to be weaponized in real-world scenarios makes it a critical security concern that could lead to data breaches, espionage, or malicious control over targeted systems.
BitLocker encryption recovery tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
BitLocker has been a standard encryption tool in Windows since Windows Vista, with widespread deployment in enterprise and government environments. Previous zero-day vulnerabilities have been patched over the years, but the disclosure of YellowKey by Chaotic Eclipse marks a significant escalation, especially given the researcher’s history of exposing security flaws after alleged dismissals by Microsoft’s security team. The disclosure follows recent reports of other exploits, such as BlueHammer and RedSun, also by Eclipse, which targeted Windows Defender privilege escalation.
“This vulnerability is well-hidden, and I could have made some insane cash selling it, but no amount of money will stand between me and my determination against Microsoft.”
— Chaotic Eclipse
“Microsoft is aware of the reports and is investigating the claims. We take security vulnerabilities seriously and are committed to protecting our customers.”
— Microsoft spokesperson (unnamed)
USB drive data recovery software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear whether Microsoft is developing a patch or has already issued one in response to the YellowKey disclosure. Details about the full scope of the vulnerability, especially regarding the TPM-and-PIN bypass variant, are still emerging. The effectiveness of the exploit on different Windows versions, especially consumer editions, has not been fully confirmed.
Windows Server security tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Microsoft is expected to evaluate the vulnerability and potentially release security updates to address the flaw. Security researchers and organizations are advised to monitor official advisories and consider implementing additional security measures for encrypted drives. Further disclosures from Chaotic Eclipse or Microsoft may clarify the exploit’s scope and mitigation strategies.
drive encryption security hardware
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can this exploit be used on all Windows devices?
The YellowKey exploit has been confirmed to work on Windows Server 2022 and 2025, but it does not currently work on Windows 10. Its applicability to other Windows versions remains unconfirmed.
Does this vulnerability affect all BitLocker-encrypted drives?
It appears to affect drives protected by BitLocker that are vulnerable to the specific attack method, particularly those that can be targeted via the USB-based exploit. Full details on scope are still emerging, and Microsoft has not yet issued an official patch.
What can users do to protect themselves now?
Users should follow Microsoft’s security advisories when available, consider additional physical security measures, and avoid leaving devices unattended in unsecured locations. Disabling automatic drive unlocking or using additional security layers may reduce risk temporarily.
Will Microsoft patch this vulnerability?
Microsoft has not officially confirmed a patch or timeline but is reportedly investigating the claims. Users should stay alert for updates from Microsoft regarding security fixes.
