Windows BitLocker Zero-Day 'YellowKey' Published with PoC — WinRE Bypass Decrypts Protected Drives Without Authentication

A researcher collective known as Chaotic Eclipse published a proof-of-concept exploit for a zero-day Windows BitLocker bypass they named “YellowKey,” demonstrating that an attacker with physical or remote WinRE access can decrypt BitLocker-protected drives without knowing the PIN, password, or recovery key. Microsoft has not yet assigned a CVE or released a patch. The release places immediate pressure on organisations that rely on BitLocker as their primary endpoint data protection control.

Technical Detail

Windows Recovery Environment (WinRE) is a stripped-down Windows instance that boots from a dedicated recovery partition to enable system repair and troubleshooting. The YellowKey technique exploits a memory management flaw in how WinRE interacts with BitLocker’s full volume encryption key (FVEK) cache under specific recovery boot conditions.

The attack requires one of the following starting positions:

• Physical access: Boot from WinRE on a BitLocker-protected device (possible without authentication on systems without pre-boot PIN enforcement)
• Remote WinRE trigger: On systems with WinRE reachable via remote management channels (Intune, MDM, or network-accessible boot options), the WinRE boot can be initiated remotely

Once in WinRE, the PoC exploits the flaw to extract the FVEK from memory and use it to decrypt the drive contents, effectively bypassing BitLocker’s encryption without requiring any credential. The PoC includes a script that automates the extraction and a proof-of-decryption demonstrating the technique on Windows 10 22H2 and Windows 11 24H2.

Microsoft confirmed it is investigating the report but stated no patch is currently available. No workaround has been officially provided.

What This Means for Defenders

BitLocker is widely deployed as the answer to two compliance requirements: GDPR’s requirement for appropriate technical measures to protect data at rest, and numerous industry frameworks that mandate full-disk encryption on portable devices. The YellowKey PoC demonstrates that BitLocker without pre-boot authentication (PIN or USB key requirement at boot) does not protect against a motivated attacker with physical access or WinRE trigger capability.

Specifically:

• BitLocker with TPM only (the most common enterprise configuration, enabling transparent encryption without user interaction) is vulnerable. The TPM releases the FVEK automatically on normal boots and, in affected configurations, also during WinRE sessions.
• BitLocker with TPM + PIN significantly reduces but may not fully eliminate risk depending on whether the PIN enforcement applies in all WinRE entry paths.
• Microsoft’s EEMS (Exchange Emergency Mitigation Service) equivalent for BitLocker does not exist — there is no in-band mitigation Microsoft can push without a full patch.

Recommended Actions

• Enable pre-boot PIN/USB: For high-risk devices — executive laptops, systems holding sensitive data — enforce BitLocker pre-boot PIN authentication via Group Policy (Require additional authentication at startup). This breaks the automatic TPM unlock that YellowKey depends on.
• Restrict WinRE access: Review MDM and Intune policies for any configuration that allows remote WinRE boot. Disable network-accessible WinRE trigger capabilities where not operationally required.
• Physical security: Devices without pre-boot PIN protection should be treated as decryptable by any party with physical access until a patch is available. Classify accordingly for handling and disposal procedures.
• Monitor Microsoft MSRC: Subscribe to MSRC notifications for CVE assignment and patch availability. Given the PoC is public, the patch window should be expected to be short.