Microsoft BitLocker Bypass Exploit YellowKey Lets Attackers Open Drives Without Keys

New BitLocker bypass exploit named YellowKey lets attackers open encrypted drives without keys on Windows Server 2022 and 2025. Security researcher Chaotic Eclipse disclosed the vulnerability.

Microsoft BitLocker Bypass Exploit YellowKey Lets Attackers Open Drives Without Keys

Security researcher Chaotic Eclipse has disclosed two zero-day exploits targeting Microsoft BitLocker encryption. The first vulnerability, named YellowKey, allows attackers to bypass BitLocker protection entirely. This exploit grants full access to a locked drive without requiring the encryption keys or passwords. Eclipse claims the vulnerability works even when users have configured TPM-and-PIN security measures.

Security researcher discloses zero-day bypassing encryption on Windows Server

YellowKey is triggered by copying specific files to a USB stick and rebooting the system into the Recovery Environment. The exploit reportedly affects Windows Server 2022 and Windows Server 25. It does not appear to work on Windows 10. Testing by Tom's Hardware suggests that the exploit files disappear from the USB stick after a single use, which may hinder forensic analysis.

YellowKey zero-day exploit bypasses BitLocker drive encryption on Windows Server systems without requiring keys or passwords.
The YellowKey vulnerability allows attackers to access locked drives by copying specific files to a USB stick and rebooting.

The second disclosed vulnerability is GreenPlasma, which performs a local privilege escalation. This exploit targets the CTFMon process on Windows systems. Eclipse has not published a complete proof-of-concept for GreenPlasma. Security Online and Cyderes have analyzed the claims, though the incomplete nature of the proof-of-concept leaves some details unverified.

Eclipse previously published two other zero-day exploits named BlueHammer and RedSun. Microsoft has patched BlueHammer, and Eclipse claims the company silently patched RedSun without official confirmation. No official response from Microsoft regarding YellowKey or GreenPlasma has been confirmed as of the publication date.

Security researcher Chaotic Eclipse disclosed two zero-day exploits, YellowKey and GreenPlasma, targeting Microsoft BitLocker encryption.

Eclipse stated that they could have made significant money selling these vulnerabilities but chose to disclose them publicly. The researcher cited a determination against Microsoft as the primary motivation for the disclosure. The security community continues to monitor the situation as patching efforts may vary across different Windows Server versions.

Discussion

0 comments

Log in to join the thread with a thoughtful take, question, or correction.

Add to the discussion