A security researcher operating under the names Chaotic Eclipse and Nightmare Eclipse released proof-of-concept exploit code on May 13, 2026, for an unpatched Windows vulnerability that bypasses BitLocker encryption on Windows 11 and Windows Server 2022/2025. The exploit, named YellowKey, uses crafted files on removable media to access encrypted drives through the Windows Recovery Environment. The researcher alleges the vulnerability functions as an intentional backdoor built by Microsoft.
YellowKey Exploit Bypasses BitLocker Through Windows Recovery Environment
The YellowKey vulnerability affects Windows 11 and Windows Server 2022/2025 systems with BitLocker encryption enabled. The exploit process involves:
- Copying specially crafted "FsTx" files onto a USB drive or the EFI partition
- Plugging the USB drive into the target Windows computer with BitLocker protections enabled
- Rebooting into Windows Recovery Environment (WinRE)
- Triggering a command shell by holding down the CTRL key while the protected disk remains accessible
The vulnerability relies on Windows Recovery Environment, the built-in mode used to troubleshoot boot problems. The PoC uses crafted FsTx files on removable media and abuses recovery boot behavior to open a command shell with access to encrypted drives.
Researcher Claims Evidence of Intentional Backdoor
The researcher described YellowKey as "one of the most insane discoveries I ever found," arguing that the BitLocker bypass functions as an intentional backdoor. The researcher's reasoning centers on the component triggering the issue being present only in the official WinRE image.
According to the disclosure, the same component exists in standard Windows installation images but does not exhibit the BitLocker-bypassing behavior observed on live systems. This discrepancy led to speculation that Microsoft may have intentionally built this functionality into the recovery environment.
Second Vulnerability Disclosed Simultaneously
Alongside YellowKey, the researcher disclosed a second unpatched vulnerability dubbed GreenPlasma—a Windows privilege escalation flaw affecting the CTFMON framework on Windows 11 and Windows Server 2022/2026. This represents at least the second round of Microsoft zero-day disclosures from this individual, who has been described as "disgruntled" in media coverage.
As of the disclosure date, both vulnerabilities remain unpatched. Microsoft has not issued a fix or official response. The story generated significant discussion on Hacker News, accumulating 86 points and 37 comments as of May 17, 2026.
Key Takeaways
- A security researcher released a proof-of-concept exploit on May 13, 2026, for an unpatched BitLocker bypass affecting Windows 11 and Windows Server 2022/2025
- The YellowKey exploit uses crafted files on USB drives to access encrypted drives through Windows Recovery Environment
- The researcher claims the vulnerability functions as an intentional backdoor based on its presence only in official WinRE images
- A second vulnerability, GreenPlasma, provides privilege escalation through the CTFMON framework
- Both vulnerabilities remain unpatched with no official Microsoft response as of the disclosure date