Skip to main content
TechnologyMay 14, 2026· 2 min read

Is Windows 11 No Longer Safe? Here's How a Hacker Bypassed BitLocker in a Few Steps

The researcher known as Chaotic Eclipse (or Nightmare Eclipse on GitHub) has once again shaken Redmond's security by publishing proof-of-concept for two unresolved zero-day vulnerabilities. The spotlight is especially on YellowKey, a bypass for BitLocker that affects Windows 11 and Server 2022/2025 versions, alongside GreenPlasma, an exploit for local privilege escalation (LPE). This move follows the release of BlueHammer and RedSun, confirming an aggressive "leaking" strategy driven by frustration over how Microsoft handles security reports.

YellowKey is described as a sort of backdoor integrated into the Windows Recovery Environment (WinRE), the component used to repair system boot issues. The attack mechanism requires placing specially crafted "FsTx" files on a USB drive or directly into the EFI partition. Once the PC is rebooted into WinRE mode, the exploit allows activation of a command shell simply by holding down the CTRL key. The result is unrestricted access to the BitLocker protected volume, with the disk already showing as unlocked if the configuration uses only the TPM (Trusted Platform Module) chip for authentication.

A technical analysis provided by independent experts like Will Dormann, cited by BleepingComputer, clarified the dynamics of the attack: YellowKey exploits NTFS transactions in combination with the Windows recovery image. During the boot phase in WinRE, the system looks for the directories "\System Volume Information\FsTx" on all connected drives to reproduce any pending NTFS logs. This operation results in the deletion of the file "X:\Windows\System32\winpeshl.ini", causing the recovery environment to directly launch an instance of CMD.EXE instead of the normal diagnostic tools, thereby leaving data accessible in plain text. It should be noted that the current public version of YellowKey does not work on drives removed and connected to other PCs (since the keys remain bound to the TPM of the original computer), but it allows anyone with physical access to the machine to bypass encryption without credentials.

As for GreenPlasma, the flaw resides in the CTFMON service and allows the creation of memory section objects within directories writable by SYSTEM. A malicious user can manipulate these objects to induce privileged drivers or services to trust normally inaccessible paths, ultimately gaining a shell with maximum system permissions. Although the released PoC is incomplete, the author claims that a proper implementation could lead to total compromise of the host. Kevin Beaumont, a prominent security researcher, has confirmed the validity of YellowKey, suggesting that the current mitigation is using a PIN for BitLocker and a password in the BIOS, although Chaotic Eclipse claims to possess a variant of the exploit capable of bypassing even the TPM+PIN protection.

Microsoft has stated to the source that it is working to investigate the reports and update vulnerable devices, reiterating the importance of the Coordinated Vulnerability Disclosure protocol. However, the atmosphere remains tense: the researcher has already criticized the company for quietly resolving RedSun without assigning a CVE identifier and has promised a "big surprise" coinciding with the upcoming Patch Tuesday in June.

Intel to Produce Apple Chips M7 and A21 Using 18A-P and 14A Manufacturing Processes?Lefant M2 Plus at €169.97: a coupon makes this interesting vacuum mop robot even more affordable