YellowKey Exploit: How a Zero-Day Instantly Breaks Windows 11 BitLocker

The YellowKey zero-day exploit, recently published by a researcher known as Nightmare-Eclipse, poses a serious threat to Windows 11 systems that rely on default BitLocker encryption. By exploiting a custom FsTx folder tied to transactional NTFS, an attacker with physical access can bypass the trusted platform module (TPM) storing the decryption key and unlock an encrypted drive in seconds. This Q&A breaks down how the exploit works, why it matters, and what you can do to stay protected.

What is the YellowKey exploit?

YellowKey is a zero-day vulnerability that completely circumvents the default BitLocker encryption on Windows 11 systems. It was released by security researcher Nightmare-Eclipse and requires only physical access to the target device. Once deployed, the exploit grants full access to an encrypted drive within seconds, bypassing the TPM chip that normally holds the decryption key. This makes YellowKey particularly dangerous for organizations where BitLocker is mandatory, such as government contractors or enterprise environments.

YellowKey Exploit: How a Zero-Day Instantly Breaks Windows 11 BitLocker — Source: feeds.arstechnica.com

How does YellowKey bypass the TPM protection?

The exploit leverages a custom-made FsTx folder associated with the file fstx.dll. This folder interacts with transactional NTFS, a Windows feature that allows developers to perform atomic file operations across multiple sources. By manipulating transactional atomicity, YellowKey forces the system to reveal encrypted data without requiring the TPM-stored key. The attack works because default BitLocker configurations trust the TPM to validate the boot process, but YellowKey interferes at a lower level, tricking the system into thinking the decryption has already occurred.

What is the FsTx folder and fstx.dll?

Online documentation for the FsTx folder is scarce, but it appears to be directly tied to transactional NTFS (TxF). TxF is a Windows API that lets developers group file operations into a single transaction—if any part fails, all changes roll back. The fstx.dll is a dynamic link library that manages these transactions. YellowKey creates a custom FsTx directory to inject malicious transactional commands, effectively rewriting the decryption process. For more detail on how TxF works, see our explanation above.

Who discovered and published YellowKey?

The exploit was published earlier this week by a researcher using the alias Nightmare-Eclipse. Little is known about their identity, but the researcher provided detailed proof-of-concept code and a technical write-up. The publication has sparked urgent discussions in cybersecurity circles because YellowKey reliably defeats default Windows 11 BitLocker deployments without requiring any user interaction or elevated privileges—just physical access to the machine.

What are the implications for Windows 11 users?

For organizations that mandate BitLocker—especially those handling sensitive government or corporate data—YellowKey represents a critical risk. Any attacker who can physically touch a Windows 11 device can extract all encrypted files within seconds. This undermines the fundamental trust placed in TPM-based protection. Individual users may also be affected if they rely solely on BitLocker's defaults without additional safeguards like a boot PIN or a startup key. The exploit is already circulating online, making it available to would-be attackers.

Can YellowKey be mitigated or blocked?

Yes, there are several ways to reduce the risk:

Enable a startup PIN: This forces users to enter a PIN before BitLocker unlocks, preventing automatic TPM-only decryption.
Use a startup key: Store the decryption key on a USB drive that must be inserted at boot.
Apply physical security: Restrict access to devices and use port locks or tamper-evident seals.
Monitor for updates: Microsoft may release a patch to block the FsTx exploit—check Windows Update regularly.

Until a fix is available, relying solely on TPM-based BitLocker is not recommended for high-security environments.

What is the technical mechanism behind YellowKey?

At its core, YellowKey exploits transactional NTFS to manipulate the system into thinking the encrypted volume has already been validated by the TPM. The attacker creates a custom FsTx folder with a specially crafted transactional command sequence involving fstx.dll. This sequence alters the boot flow so that the decryption key is never actually queried from the TPM. Instead, the drive is mounted in an unencrypted state. The entire process takes only seconds and does not require any special software—just the exploit code copied onto a USB drive.

How does this compare to other BitLocker attacks?

Previous BitLocker attacks have often required expensive hardware (e.g., cold boot attacks) or complex timing manipulations (e.g., DMA attacks). YellowKey is unique because it is fast, reliable, and requires no specialized equipment. It is a pure software-based exploit that works against default configurations. While some attacks target pre-boot environments, YellowKey operates within Windows itself, making it more accessible to a wide range of attackers. However, like other exploits, it can be mitigated by adding a PIN or key.

Tags: