Is BitLocker Hiding a Deliberate Backdoor? Inside the YellowKey Bypass Attack

Vulnerability Overview and Impact

On May 12, 2026, the researcher known as Nightmare‑Eclipse (alias "Chaos Eclipse") published two zero‑day exploits on GitHub: YellowKey, which bypasses BitLocker full‑disk encryption, and GreenPlasma, a local privilege‑escalation flaw in the CTFMON service. YellowKey affects Windows 11 (all editions), Windows Server 2022, and Windows Server 2025, while Windows 10 is not vulnerable because the exploited component does not exist in its WinRE image.

Attack Chain Deep Dive

2.1 Simplified Attack Flow

Step 1 – Prepare the attack medium. The attacker copies a specially crafted FsTx (Transactional NTFS log) folder to the USB drive’s System Volume Information directory or to the target disk’s EFI partition.

Step 2 – Trigger WinRE. Inserting the USB and holding Shift while clicking Restart forces the system into the Windows Recovery Environment (WinRE).

Step 3 – Induce downgrade. During the reboot the attacker holds Ctrl, causing WinRE to replay the FsTx transaction logs. The logs delete winpeshl.ini, forcing a fallback to a command‑line prompt where the BitLocker volume is already unlocked by the TPM.

The resulting command line has full read/write access to the BitLocker‑protected drive without any password or recovery key.

2.2 Core Exploitation Mechanism: Transactional NTFS

YellowKey leverages the TxF (Transactional NTFS) feature. WinRE replays the FsTx logs at boot, and those logs can modify files on a different volume. Security expert Will Dormann notes that allowing a log on one volume to alter another is a deep security flaw.

The vulnerable code component exists only in the WinRE image; the same‑named component in a normal Windows installation lacks the BitLocker‑bypass capability, strengthening the backdoor allegation.

2.3 Self‑Destruct After Execution

Tom’s Hardware observed that the malicious files delete themselves from the USB after a single execution, leaving no trace.

Backdoor Allegations and Microsoft’s Response

3.1 Researcher’s Evidence

Code location anomaly: The exploit code resides solely in WinRE.

Unexplained behavior: The researcher could not find any explanation other than intentional insertion; only newer Windows versions are affected.

Self‑destruct feature: Automatic removal of the FsTx files mirrors government‑grade backdoors.

Patch timing doubt: The PoC was released the same day Microsoft issued its May Patch Tuesday, suggesting the vulnerability was known before the patch.

3.2 Microsoft’s Position

As of May 18, 2026, Microsoft has not issued an official statement. The Microsoft Security Response Center (MSRC) only indicated that the issue is under investigation.

Independent experts Kevin Beaumont and Will Dormann confirmed the vulnerability’s effectiveness, and Elcomsoft published a detailed cryptographic and forensic analysis confirming its robustness.

Is TPM + PIN Still Safe?

The researcher claims the YellowKey exploit also works when BitLocker is protected by TPM + PIN, although the full PoC for that configuration was not released. This suggests that the widely‑deployed three‑factor protection (BitLocker + TPM + PIN) may be insufficient against this attack.

GreenPlasma: Concurrent Privilege‑Escalation Flaw

GreenPlasma abuses an arbitrary registry key creation flaw in the CTFMON service, allowing a low‑privilege user to write to SYSTEM‑writable objects and eventually obtain SYSTEM privileges. The published PoC is incomplete—key code for a full SYSTEM shell was deliberately omitted—but it still triggers a UAC prompt, exposing an attack surface on Windows 11, Server 2022, and Server 2026.

Mitigation Recommendations

Disable WinRE: Cuts the attack path at its source.

Set BIOS/UEFI boot password: Prevents attackers from easily rebooting into WinRE.

Strengthen physical security: Physical access is required to insert the malicious USB.

Temporarily use Windows 10: Windows 10 is not affected by YellowKey.

Evaluate VeraCrypt or other third‑party full‑disk encryption: Long‑term alternative to BitLocker.

For enterprise security teams, immediate actions include inventorying BitLocker‑enabled devices, applying BIOS passwords on high‑value assets, monitoring Microsoft security advisories, and testing third‑party encryption solutions.

Researcher Background and Motivation

Nightmare‑Eclipse has previously disclosed three Windows Defender zero‑days (BlueHammer, RedSun, UnDefend). Frustrated by perceived dismissals from Microsoft’s security team, the researcher chose public disclosure over selling the bugs, stating that “no amount of money can stop my resolve against Microsoft.”

Timeline of Events

Mar‑Apr 2026: BlueHammer, RedSun, UnDefend disclosed.

May 12 2026: Microsoft’s May Patch Tuesday released (130+ fixes).

May 12 2026: YellowKey and GreenPlasma PoCs published.

May 13 2026: Independent experts validate the vulnerabilities.

May 13‑14 2026: Major media outlets (Ars Technica, Tom’s Hardware, The Hacker News) report the findings.

May 14 2026: Researcher updates blog, confirming TPM + PIN impact.

May 18 2026: Elcomsoft releases deep technical analysis; Microsoft still silent.

Detection and Defense (Blue‑Team Perspective)

Detection is challenging because the attack requires physical USB insertion and the malicious FsTx files self‑delete. Recommended detection points:

Environment layer: Audit WinRE configuration and monitor unexpected WinRE launches (e.g., Shift+Restart events).

Network layer: Consider the risk of offline cracking of BitLocker recovery keys if a device is stolen.

Incident response: If a device was in an attacker’s possession and lacked PIN protection, assume the volume may be decrypted and perform a full reinstall and key rotation.

The technique maps to the MITRE ATT&CK tactics “TPM Hijacking” (TA‑0008) and “Exploitation of Removable Media” (T0852).

In conclusion, the YellowKey vulnerability raises serious questions about the integrity of BitLocker’s design and whether an intentional backdoor exists in the WinRE component. Organizations relying on BitLocker for compliance should reassess their encryption strategy while awaiting an official Microsoft patch.