BitLocker, Microsoft’s full disk encryption solution offered in Windows, has come to the fore with a new and highly controversial security claim. A security researcher known by the pseudonyms “Nightmare-Eclipse” or “Chaotic Eclipse” claimed that BitLocker-protected drives can be accessed with a vulnerability he calls YellowKey. Summary in 10 SecondsSecurity researcher Nightmare-Eclipse claims that encrypted disks on BitLocker-protected Windows 11 systems can be accessed without a password or recovery key with the vulnerability called YellowKey.
It is stated that the vulnerability can be triggered via the Windows Recovery Environment and USB memory, and may also affect Windows Server 2022 and Server 2025 systems. Although the researcher argues that this may be an intentional backdoor, no official confirmation or patch has been released by Microsoft yet. The researcher claims that the vulnerability can be triggered through the Windows Recovery Environment and, under certain conditions, the data on the encrypted disk can be accessed without entering the recovery key or password.
According to his statement, YellowKey specifically affects Windows 11, Windows Server 2022 and Windows Server 2025 systems. It is stated that Windows 10 is not affected by this behavior. YellowKey is on the agenda with the claim that it can bypass BitLocker protection. The most striking aspect of YellowKey is that the attack directly targets BitLocker’s full disk encryption logic. Under normal circumstances, BitLocker is used to protect data when the device is lost or the disk is inserted into another system.
However, according to the researcher’s claim, this vulnerability can allow an attacker with physical access to access the encrypted volume through the Windows Recovery Environment. In the published technical descriptions, it is stated that the attack is associated with a USB memory and Windows Recovery Environment. It is reported that some independent researchers have also confirmed YellowKey behavior. However, there is no official security bulletin or fix yet published by Microsoft for the vulnerability.
The researcher argues that YellowKey looks different from an ordinary security bug. Allegedly, the component that triggers the vulnerability exhibits this behavior only in the official WinRE image. Therefore, Nightmare-Eclipse suggests that Microsoft may have deliberately created a “backdoor” within BitLocker. However, there is an important distinction at this point. For now, the term “backdoor” is the researcher’s interpretation and claim.
No statement has been made by Microsoft confirming this accusation. In the security world, such claims can only be clarified with manufacturer statements, patch analysis and independent technical reviews. The risk of physical access comes to the fore. In the YellowKey scenario, the attacker must gain physical access to the target device. This shows that the vulnerability can pose a serious risk, especially for corporate devices that are lost, stolen or left unattended.
BitLocker is used in most institutions as a basic security layer to protect data in case laptops are lost or stolen. For this reason, the YellowKey claim concerns not only individual users but also IT teams that manage corporate device fleets. Security experts emphasize that publicly available zero-day exploits seriously narrow the risk window. Because the published PoC materials can make it easier for malicious people to test the vulnerability and adapt it to different attack chains.
The second vulnerability called GreenPlasma was also published. Nightmare-Eclipse brought not only YellowKey but also a second vulnerability called GreenPlasma to the agenda. It is stated that GreenPlasma may enable privilege escalation on the Windows side. The researcher says that he has not published the entire code that provides full access at the SYSTEM level, but that it gives enough technical indication of how the vulnerability can be exploited.
According to security sources, GreenPlasma is considered a privilege escalation problem related to CTFMON and Windows Collaborative Translation Framework. YellowKey poses a risk on the data access side, while GreenPlasma poses a risk on the in-system privilege escalation side. It is known that the researcher has had tensions with Microsoft before. Nightmare-Eclipse has publicly published some Windows vulnerabilities in the past and criticized Microsoft’s approach to security reports.
For this reason, the way YellowKey is announced, as well as its technical impact, creates controversy. There is no official statement from Microsoft yet. Currently, Microsoft does not appear to have released an official security update regarding the YellowKey and GreenPlasma claims. Therefore, the most critical issue for system administrators is to reduce the risk of physical access and review BitLocker configurations.
Especially in corporate environments, devices’ access to the recovery environment, boot permissions with external media, BIOS/UEFI security settings, Secure Boot status and BitLocker’s TPM/PIN configuration should be re-evaluated. Rather than relying on disk encryption alone, device security should be addressed in a multi-layered manner. If the YellowKey claim is verified and patched by Microsoft, this vulnerability could be one of BitLocker’s most controversial security issues in recent years.
However, it is premature at this stage to conclude that “Microsoft put a backdoor in BitLocker.” The current chart points to a serious zero-day claim and a high-stakes security controversy awaiting manufacturer clarification. Editor’s note The YellowKey claim reiterates how critical a commonly used security layer like BitLocker is in physical access scenarios. However, the “back door” accusation is the researcher’s interpretation for now; It is important not to make any final judgments until Microsoft’s official statement and independent technical analysis are available.
Do you think the YellowKey claim undermines trust in BitLocker, or do such vulnerabilities pose a limited risk because they require physical access? Share your opinions in the comments.
Comments
You can write your views about this story. Comments may be moderated according to site settings.