milliways-infosec/YellowKey
5
0
Fork 0
mirror of https://github.com/Nightmare-Eclipse/YellowKey.git synced 2026-05-16 10:40:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
YellowKey Bitlocker Bypass Vulnerability mirror
4 commits 1 branch 0 tags 72 KiB
Find a file
0scar07 db677548c4
Updated README
2026-05-15 20:15:38 -05:00
FsTx/95F62703B343F111A92A005056975458 Add files via upload 2026-05-12 19:23:00 +02:00
LICENSE Initial commit 2026-05-12 17:54:59 +02:00
README.md Updated README 2026-05-15 20:15:38 -05:00
shell.png Add files via upload 2026-05-12 19:23:00 +02:00

README.md

YellowKey

YellowKey Bitlocker Bypass Vulnerability

Platform Target Status Affected

Been a while since I saw a BitLocker bypass around, my turn.

This is one of the most insane discoveries I ever found, almost feels like a backdoor but what do you know, maybe I'm just insane.

Affected Systems

  • Windows 11
  • Windows Server 2022
  • Windows Server 2025

Windows 10 does NOT appear to be affected.

How To Reproduce

1. Copy FsTx

Copy the FsTx folder to:

YourUSBStick:\System Volume Information\FsTx

Use a Windows-compatible filesystem:

  • NTFS (recommended)
  • FAT32
  • exFAT

Funny thing is, the vulnerability is extremely convenient, you don't even need an external storage device.

You can literally:

  • Pull the disk out
  • Copy the files into the EFI partition
  • Put the disk back

…and it will still work.

That's how bad it is.

2. Plug The USB Device

Insert the USB stick into the target Windows machine with BitLocker enabled.

3. Reboot Into WinRE

Hold SHIFT and click the Restart button using your mouse.

This boots the system into Windows Recovery Environment.

4. Trigger The Vulnerability

Once you click restart:

  • Release SHIFT
  • Hold CTRL
  • DO NOT release it

5. Enjoy The Shell

If everything was done correctly, a shell will spawn with unrestricted access to the BitLocker protected volume.

Demonstration

shell

Why Does This Feel Like A Backdoor?

The component responsible for this bug:

  • Is not present anywhere publicly
  • Does not appear on the internet
  • Exists only inside the WinRE image

What makes this even more suspicious is that the exact same component also exists in normal Windows installations with the exact same name — except without the functionality that triggers the BitLocker bypass.

Why?

I genuinely can't come up with an explanation besides the possibility that this behavior was intentional.

Even stranger:

  • Only Windows 11 is affected
  • Server 2022/2025 are affected
  • Windows 10 is completely unaffected

Special Thanks

Huge thanks to:

  • MORSE
  • MSTIC
  • Microsoft GHOST

For making this public disclosure possible ;)