Recently, a security researcher publicly released proof-of-concept (PoC) exploits for a Windows BitLocker bypass vulnerability, alongside another related privilege escalation flaw. This researcher, known as Chaotic Eclipse, has a history of such disclosures. Both BlueHammer (CVE-2026-33825) and RedSun (which Microsoft silently patched without assigning an identifier) were local privilege escalation (LPE) zero-days, exploited in the wild shortly after public disclosure. The researcher's stated motivation, detailed in their GitHub repository, is frustration with Microsoft's bug report handling, leading to a pattern of leaking exploits for undocumented Windows vulnerabilities.
Of particular note is the Windows BitLocker bypass, dubbed YellowKey, which affects Windows 11, Windows Server 2022, and Windows Server 2025. The second flaw, a privilege escalation vulnerability named GreenPlasma, was described as allowing "Arbitrary Section Creation Elevation of Privileges." Its public PoC remains incomplete.
The Incident: Understanding the Windows BitLocker Bypass
The attack chain for this Windows BitLocker bypass vulnerability is straightforward, assuming physical access to the target machine. An attacker first requires direct physical interaction with the computer, as this is not a remote exploit. The next step involves preparing a USB drive containing specially crafted FsTx files, which are NTFS transaction logs typically found in \System Volume Information\FsTx directories. The researcher's PoC details their creation.
With the crafted USB drive inserted, the attacker reboots the target computer, forcing it into the Windows Recovery Environment (WinRE). This can be achieved via specific key presses or by copying files directly to the EFI partition on the target drive.
The system's design creates a vulnerability here. When WinRE starts, it scans attached drives for FsTx directories and attempts to replay any NTFS logs found. This is a function of Windows' Transactional NTFS (TxF) feature, intended for file system consistency during recovery. The crafted FsTx logs on the USB drive then instruct WinRE to delete X:\Windows\System32\winpeshl.ini on the target BitLocker-protected volume.
This winpeshl.ini file dictates which application WinRE launches at startup. Without it, WinRE defaults to spawning a CMD.EXE prompt. Importantly, the BitLocker-protected volume is already transparently decrypted by the TPM chip because the system is operating within WinRE. The attacker now has an unrestricted command prompt with full access to the supposedly protected drive, requiring no user credentials.
Will Dormann from Tharros Labs confirmed this mechanism. He noted that the FsTx log on the USB can modify files on a separate volume, indicating a deeper issue in how Windows handles cross-volume NTFS transaction replay during recovery. Microsoft has previously indicated plans to deprecate TxF due to its complexity; this exploit highlights the security implications of that complexity.
How a USB Stick Facilitates the Windows BitLocker Bypass
Public discussions often frame this Windows BitLocker bypass vulnerability as a "backdoor." When a core security feature like BitLocker can be bypassed by exploiting a recovery mechanism, it prompts scrutiny regarding design intent versus implementation oversight.
The current PoC operates against TPM-only BitLocker configurations, a common setup where the TPM handles automatic decryption at boot. The exploit leverages this auto-unlock feature. Kevin Beaumont and Will Dormann both recommend using a BitLocker PIN in addition to the TPM, alongside a BIOS password, as a mitigation. This approach is logical: requiring a PIN *before* the TPM decrypts would likely prevent the FsTx manipulation from succeeding.
However, the researcher claims the vulnerability *is* exploitable even in a TPM+PIN environment, though this specific PoC has not been released. The researcher hints, in their disclosure, that "the real root cause is still not unknown [sic] by the general public." If accurate, this suggests an even deeper architectural issue, beyond a flaw in the auto-unlock process. It implies WinRE might, by design, possess a privileged path that bypasses even a user-supplied PIN under specific conditions, representing a significant architectural vulnerability.
A coding error can sometimes be seen as a design choice. WinRE is inherently designed for system recovery, which necessitates access to drives. However, the specific way it interacts with BitLocker and TxF inadvertently creates an avenue for an attacker to hijack this recovery process. This situation highlights a common dilemma: prioritizing operational ease can inadvertently create security vulnerabilities.
The "Backdoor" Angle: Design vs. Bug in Windows BitLocker Bypass
It is important to note that this Windows BitLocker bypass vulnerability demands physical access. This means stolen drives, where an attacker only possesses the hardware and cannot boot it into WinRE, are not immediately vulnerable to this specific PoC.
However, any scenario allowing physical interaction with a machine – an unattended laptop, a server in a less-than-secure data center, or a device seized by an adversary – presents a risk. For organizations relying on BitLocker for data-at-rest protection on endpoints, this represents a direct confidentiality breach. If an attacker gains physical access to a machine, they can access its data, even with BitLocker enabled.
The related privilege escalation flaw, GreenPlasma, while incomplete in its public PoC, also points to a wider architectural concern. An unprivileged user creating arbitrary memory-section objects in SYSTEM-writable directories could lead to manipulating privileged services or even kernel-mode drivers. This type of LPE, categorized under MITRE ATT&CK T1068 (Exploitation for Privilege Escalation), often serves as a stepping stone in a larger attack chain, moving from initial access to full system compromise.
The Impact: Who Should Worry About This Windows BitLocker Bypass?
Microsoft's official statement is that they are "committed to investigating reported security issues and updating impacted devices" and that they "support coordinated vulnerability disclosure." This is a standard response, yet it does not address the researcher's claims of prior dismissals, as detailed in their public disclosure, which appear to be driving these public disclosures.
For Windows 11, Server 2022, or Server 2025 users relying on BitLocker, immediate practical steps include implementing a BitLocker PIN to require authentication before TPM decryption, setting a BIOS/UEFI password to prevent unauthorized boot alterations, and reinforcing physical security to prevent direct device interaction. Additionally, users should closely monitor for Microsoft's Patch Tuesday releases, especially given the researcher's claims regarding a potential TPM+PIN bypass. This ongoing situation highlights the critical need to address the Windows BitLocker bypass effectively.
The situation with the researcher highlights a recurring challenge: when security researchers perceive their findings are not adequately addressed through private channels, public disclosure becomes an alternative, albeit high-risk, strategy. This Windows BitLocker bypass isn't just a simple bug; it's a stark reminder of how system design, if not rigorously scrutinized for security, can inadvertently create weaknesses that compromise even robust encryption. We need to start viewing WinRE as a potential attack surface, not an inherently trusted component, especially in light of this Windows BitLocker bypass.
