A security researcher, known on GitHub as Nightmare-Eclipse, recently unveiled a significant vulnerability in Windows 11, referred to as YellowKey. This exploit enables an attacker to access the contents of a BitLocker-encrypted drive by exploiting the standard functionalities of the Windows Recovery Environment. Nightmare-Eclipse has characterized this discovery as “one of the most insane” findings in their experience.
Microsoft’s Response
This week, Microsoft acknowledged the existence of the vulnerability, criticizing the public dissemination of the YellowKey proof of concept for violating “coordinated vulnerability best practices.” The company has assigned the identifier CVE-2026-45585 to this issue and has offered some guidance on mitigation strategies. However, as of now, the BitLocker bypass remains unaddressed with a patch. Fortunately, the requirement for physical access to the targeted device provides a layer of protection against potential exploitation.
Cybersecurity firm Eclypsium has provided a detailed analysis of the vulnerability in a recent blog post. They explain that YellowKey operates by utilizing the Windows Recovery Environment to create a fully unlocked command shell for drives that the operating system still recognizes as encrypted. In practical terms, an attacker would only need a stolen Windows 11 laptop and a USB stick to execute the attack.
Technical Insights
Eclypsium further clarifies that this vulnerability does not appear in Windows 10, as the relevant component of the Windows Recovery Environment behaves differently within that version. The vulnerable filesystems on the attacker-supplied media include NTFS, FAT32, and exFAT, which broadens the potential avenues for staging the payload.
Nightmare-Eclipse speculates that the bypass may function more like a backdoor. They note that the component responsible for this vulnerability is unique to the WinRE image and is not found elsewhere online. Interestingly, the same component exists in a standard Windows installation but lacks the functionalities that lead to the BitLocker bypass.
Microsoft has yet to confirm this theory, referring to the issue as “a security feature bypass vulnerability.” This incident is not isolated; earlier this year, another researcher highlighted a different vulnerability involving the new Recall feature in Windows 11, raising concerns about AI integration. Additionally, the latest iteration of Notepad has been found to contain a remote code execution vulnerability, although this is not a concern with the YellowKey exploit. While it may seem like a minor consolation, it is a small victory for Microsoft amidst a landscape of ongoing security challenges.
