Security Researcher Claims Windows 11 BitLocker Vulnerability Was Likely Intentional

Questionable Design Choices in Windows 11 Security

A security researcher known as Chaotic Eclipse (or Nightmare-Eclipse) has discovered a significant flaw in the BitLocker encryption feature of Windows 11. According to the researcher, the vulnerability appears to be a deliberate design choice rather than an accidental oversight, noting that the issue uniquely affects Windows 11, Windows Server 2022, and 2025, while leaving Windows 10 untouched.

The researcher successfully bypassed the system's security protections using nothing more than a standard USB drive, leading to the creation of the zero-day exploit dubbed "YellowKey."

The Mechanics of the YellowKey Exploit

The vulnerability functions through a surprisingly straightforward process. By gaining write access to the "System Volume Information" on a connected USB device and transferring the "FsTx" folder, an attacker can manipulate the system's behavior. By holding down the Control key during the Windows recovery environment boot process, the system grants the user access to an elevated command line. This bypasses the need for any encryption keys, effectively unlocking the BitLocker-protected drive.

Commenting on the discovery, Chaotic Eclipse stated: «Just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only Windows 11 are affected, Windows 10 is not.» The researcher further emphasized that their decision to publish the findings was motivated by security principles rather than financial gain, stating that their determination to hold Microsoft accountable outweighed potential profits.

Microsoft’s Response and Recommended Mitigations

Microsoft has acknowledged the issue, officially tracking it as CVE-2026-45585. The company expressed concern regarding the public release of the proof-of-concept, which it claims goes against coordinated vulnerability disclosure practices.

While a permanent security patch is under development, Microsoft has provided immediate mitigation steps for users concerned about their data integrity:

• Remove the autofstx.exe entry from the Session Manager's BootExecute registry key.
• Restore BitLocker trust in the Windows Recovery Environment (WinRE) by following official documentation.
• Switch BitLocker configuration from "TPM-only" mode to "TPM+PIN" mode using PowerShell, the command line, or the Control Panel.

By requiring a pre-boot PIN for drive decryption, the "TPM+PIN" configuration effectively neutralizes the YellowKey exploit, preventing unauthorized access during the boot sequence.