On 13 May 2026 — one day after Microsoft’s Patch Tuesday — an anonymous security researcher known as Nightmare-Eclipse dropped a bombshell: a working proof-of-concept exploit that bypasses BitLocker full-volume encryption on Windows 11 systems. The exploit, codenamed YellowKey, does not require credentials, does not need network access, and — most alarmingly — works even when TPM+PIN protection is enabled.
Alongside YellowKey, the same researcher released GreenPlasma, a separate privilege escalation vulnerability targeting the Windows Collaborative Translation Framework (CTFMON). Together, they represent one of the most significant endpoint security events of 2026 so far.
TL;DR
- YellowKey is an unpatched zero-day that bypasses BitLocker encryption on Windows 11 and Windows Server 2022/2025 by abusing NTFS transaction log replay in the Windows Recovery Environment.
- The attack requires physical access and a USB drive — no credentials needed, and TPM+PIN does not fully prevent exploitation.
- GreenPlasma is a companion privilege escalation targeting CTFMON (ctfmon.exe) that can elevate unprivileged users to SYSTEM.
- Microsoft has not yet assigned CVE numbers or released patches — organisations must harden endpoints now using layered defences.
- Full-disk encryption is necessary but not sufficient. Defence-in-depth with BIOS passwords, WinRE hardening, and endpoint detection is essential.
How YellowKey Works: The Technical Breakdown
YellowKey targets a subtle but devastating flaw in how the Windows Recovery Environment (WinRE) handles NTFS transaction logs. As security researcher Will Dormann explained: “Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:).”
Here is the attack chain:
- Prepare a USB drive with specially crafted FsTx (NTFS transaction) files in a
\System Volume Information\FsTxdirectory. - Insert the USB into a BitLocker-protected Windows 11 machine.
- Reboot into WinRE. During the recovery boot process, Windows replays the NTFS transaction logs from the USB drive — crucially, against files on a different volume.
- The replayed transaction deletes
winpeshl.inion the recovery partition. This file controls what WinRE launches on boot. - Without
winpeshl.ini, WinRE defaults tocmd.exe— a full command prompt, with the BitLocker-encrypted drive already unlocked and mounted.
The elegance — and the danger — lies in step three. A transaction log from one volume should never be able to modify files on another. This cross-volume replay is, as Dormann noted, “a vulnerability itself.”
The researcher went further, describing YellowKey as “one of the most insane discoveries I ever found” and alleging the behaviour could be intentional. The vulnerable component exists only in the official WinRE image — the same component in standard Windows installation images does not exhibit this behaviour. Whether this constitutes an intentional backdoor or an extraordinary oversight remains unverified, but the distinction matters less than the practical reality: the exploit works, and it is public.
GreenPlasma: The Privilege Escalation Companion
Released alongside YellowKey, GreenPlasma targets ctfmon.exe, the Collaborative Translation Framework Monitor that runs as SYSTEM in every interactive Windows session. The vulnerability allows unprivileged users to create arbitrary memory section objects inside SYSTEM-writable directories, potentially enabling manipulation of privileged services or kernel drivers to achieve SYSTEM-level access.
While the released proof-of-concept is incomplete, the implications are clear: an attacker who gains initial access to a Windows 11 or Server 2022/2025 system could chain GreenPlasma with other techniques for full system compromise.
What Makes This Different
BitLocker bypasses are not new — researchers have demonstrated cold boot attacks, DMA attacks, and TPM sniffing over the years. But YellowKey stands apart for several reasons:
- Low complexity. The attack requires only a USB drive with specific files. No soldering, no expensive hardware, no firmware modification.
- TPM+PIN is not sufficient. The researcher confirmed the exploit works even with TPM and PIN protection enabled, though that specific PoC has not been publicly released.
- Public PoC. Unlike many zero-days that circulate in private markets, the full proof-of-concept is freely available.
- No patch available. Microsoft has acknowledged the report but has not assigned CVE numbers or released fixes. The next Patch Tuesday is June 2026 — and the researcher has promised additional disclosures to coincide with it.
Who Is at Risk
Any organisation running Windows 11 or Windows Server 2022/2025 with BitLocker as their primary data-at-rest protection. That includes:
- Development teams whose laptops contain source code, API keys, and production credentials.
- Enterprises relying solely on BitLocker for compliance with data protection regulations (GDPR, HIPAA, PCI-DSS).
- Remote workers whose devices may be lost, stolen, or left unattended in shared spaces.
- Managed service providers deploying Windows endpoints at scale with standard BitLocker policies.
The physical access requirement limits the attack surface to scenarios like device theft, insider threats, border crossings, and supply chain interception. But for regulated industries and teams handling sensitive intellectual property, these are precisely the scenarios BitLocker is supposed to protect against.
What Your Team Should Do Right Now
1. Set a BIOS/UEFI Password
Security researcher Kevin Beaumont confirmed that a BIOS password is an effective mitigation, as it prevents attackers from booting from USB or entering WinRE without authentication. This is the single most impactful step you can take today.
2. Disable or Harden WinRE
If your organisation does not rely on the Windows Recovery Environment for support workflows, consider disabling it entirely with reagentc /disable. If you need it, audit the WinRE image to ensure winpeshl.ini is present and protected.
3. Restrict USB Boot
Configure UEFI settings to prevent booting from external media. Combine this with Secure Boot enforcement to limit the attack surface.
4. Layer Your Encryption
BitLocker should not be your only line of defence. Consider additional file-level or container-level encryption for sensitive assets — source code repositories, credential stores, database backups. Tools like VeraCrypt, age, or LUKS (for dual-boot Linux environments) add independent encryption layers that YellowKey cannot touch.
5. Review Your Endpoint Detection
Ensure your EDR solution monitors for WinRE boot events, USB device connections on locked machines, and unexpected cmd.exe invocations during recovery. These are the observable indicators of a YellowKey-style attack.
6. Audit Your Compliance Posture
If your data protection compliance relies on BitLocker as a technical control, document the compensating controls you have in place. Regulators and auditors will want to see that you are aware of the vulnerability and have mitigated it, not just that you have encryption enabled.
The Bigger Picture: Defence-in-Depth Is Not Optional
YellowKey is a stark reminder that no single security control is sufficient. Full-disk encryption is essential — but it is one layer in a stack that should include BIOS authentication, Secure Boot, EDR, device management, and physical security policies.
For development teams in particular, the stakes are high. A stolen developer laptop with access to production infrastructure, CI/CD pipelines, and cloud credentials is a breach waiting to happen — whether or not the disk is encrypted.
At REPTILEHAUS, we work with development teams and businesses across Dublin and beyond to build security into every layer of their technology stack — from DevSecOps pipelines and infrastructure hardening to endpoint security policies and incident response planning. If this story has you rethinking your security posture, get in touch. We would rather help you prepare than help you recover.
What Comes Next
Nightmare-Eclipse has promised further disclosures timed to June 2026 Patch Tuesday. Microsoft’s response — both in terms of patching speed and how they address the cross-volume NTFS transaction replay behaviour — will be closely watched by the security community.
In the meantime, the proof-of-concept is public, the vulnerability is unpatched, and every Windows 11 device with BitLocker is potentially affected. Act accordingly.
