BitLocker has a new backdoor.

Written By Adrian Roesch

YellowKey is public and unpatched. You are probably vulnerable.

A security researcher with a grudge against Microsoft has been dropping unpatched Windows exploits like clockwork. This week's drop is YellowKey - a BitLocker bypass with working proof-of-concept code, no patch, and no CVE. It's already being shared on GitHub.

What's the actual problem?

YellowKey lets an attacker with physical access bypass BitLocker encryption entirely, in minutes. They need a USB stick, a specific folder structure, and the ability to reboot your machine.

At present, the understanding is only Windows 11, Windows Server 2022, and Windows Server 2025 are affected. Windows 10 is not affected. The exploit leverages the Windows Recovery Environment, specifically NTFS transaction logs processing behaviour intended to aid in device recovery.

The highest-risk devices are those running TPM-only BitLocker - the default configuration for most corporate Windows deployments, where the drive unlocks automatically at boot without a PIN.

Why act now when there's no patch?

Because waiting for Microsoft isn't really a strategy anymore. When this same researcher dropped the BlueHammer exploit earlier this year, it was being actively exploited within four days of publication. The PoC for YellowKey is already public, the code is on GitHub.

What to actually do

The fix is not all that appetising, but it is effective - enforce a BitLocker startup PIN across your fleet. A strong start-up PIN stops the known attack.

Beyond that:

  • Audit how many endpoints are running TPM-only BitLocker right now - this is likely the bulk of any modern corporate fleet.

  • Set a BIOS password, restrict changes to boot order - this prevents booting from unauthorised media.

  • Consider restricting access to the Windows Recovery Environment - operational impacts to be considered.

For Australian organisations under the Essential 8, this sits squarely in your encryption and endpoint hardening controls. It's worth a conversation before Microsoft gets around to patching it.

Not sure where to start? That's what we're here for.

Adrian Roesch
Next

ROPC is on borrowed time.