How the 'FailRelock' Flag Let Attackers Bypass BitLocker for the Fifth Time

Incident Overview

Security researcher @weezerOSINT discovered a debug flag named FailRelock in the Windows Recovery Environment (WinRE). When the flag is set to 1, BitLocker never re‑locks after it is unlocked, effectively nullifying the encryption.

Attack Steps (single‑USB method)

普通人：
┌─────────────────────────────────────┐
│ 1. Boot a USB stick into WinRE               │
│ 2. Create <em>RecoverySimulation.ini</em>       │
│ 3. Set <em>Active=Yes, FailRelock=1</em>        │
│ 4. WinRE unlocks BitLocker                  │
│ 5. Launch <code>cmd.exe</code>, gaining full access │
│ 6. Encrypted drive is now exposed            │
└─────────────────────────────────────┘

微软工程师：
┌─────────────────────────────────────┐
│ "测试完了，代码先不删了"                │
│ "反正用户也不会发现"                    │
│ "flag名字就叫FailRelock吧"               │
│ "毕竟我们是微软"                        │
└─────────────────────────────────────┘

The entire exploit requires only a USB stick and a modified RecoverySimulation.ini file; no expensive hardware, zero‑day exploits, or GPU cracking is needed.

Intended Purpose of the Flag

Designed as a test switch to keep the system unlocked during debugging.

When enabled, the lock operation fails permanently.

The literal name “FailRelock” reflects this behavior.

BitLocker Bypass History (2022‑2026)

2022 – CVE‑2022‑41099 (BitLocker bypass)

2023 – CVE‑2023‑21563 (BitLocker bypass)

2024 – CVE‑2024‑20666 (BitLocker bypass)

2024 – BitUnlocker (BitLocker bypass)

2026 – YellowKey (FailRelock) (BitLocker bypass)

Five incidents in five years illustrate a recurring design issue rather than isolated bugs.

Technical Reasoning

BitLocker’s trust model:

正常启动：TPM验证 → 解锁 → 系统启动
恢复启动：WinRE环境 → 解锁 → 弹cmd

BitLocker assumes WinRE is a trusted recovery environment. The hidden FailRelock switch breaks this assumption, allowing an attacker to keep the drive unlocked after WinRE‑based recovery.

Analogy: a house with a sturdy front door but a spare key hidden behind a nail labeled “test only”.

Mitigation Measures

Enable Secure Boot – prevents booting from external USB media.

TPM 2.0 + PIN – adds a credential requirement that makes pure physical attacks harder.

Disable USB boot – can be turned off in the BIOS/UEFI settings.

Regular system updates – ensures any future patches for the design flaw are applied.

Physical attacks remain difficult to fully prevent, but limiting easy access to the machine reduces exposure.

Code‑Quality Reflection

"They left an entire debug testing framework in production."

Test code should be removed before release.

Debug switches must not be shipped to production environments.

Flags like FailRelock should carry a clear “_TEST_MODE_ONLY_DELETE_BEFORE_SHIP” suffix.

The flag remained in the released WinRE, likely due to oversight or schedule pressure, and was discovered five years later.

Future Outlook

The researcher hinted at a next vulnerability named GreenPlasma , described as an arbitrary‑segment privilege‑escalation issue in Windows CTFMON.