BitLocker Bypass Found In Latest Series of Windows Vulns

An anonymous security researchers known as Nightmare-Eclipse has published two more Windows zero-day exploits, YellowKey and GreenPlasma, after already publishing 3 earlier this year.

The researcher didn't follow standard coordinated vulnerability disclosure procedures and instead published the vulnerabilities publicly on GitHub, a practice that leaves users open to being exploited while the software developers scramble to fix the issue.

The researcher describes YellowKey, a BitLocker bypass, as "one of the most insane discoveries I ever found."

They go on to speculate that it "almost feels like a backdoor but what do you know, maybe I'm just insane."

The vulnerability can be performed simply by copying a folder from the YellowKey GitHub onto either an external storage device or directly onto the EFI partition of the main drive.

Boot into the Windows Recovery Environment Agent by holding Shift and clicking restart, holding CTRL as it boots up, and you will be presented with a shell that has "unrestricted access to the bitlocker protected volume."

Now why would I say this is a backdoor ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why ? I just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not.

It's bizarre that only more recent versions of Windows are affected.

While the bug does require physical access to the machine, it's still quite alarming since BitLocker is primarily designed to protect against attackers with physical access to your computer.

Supposedly, you can prevent the vulnerability by adding a PIN to your TPM instead of using BitLocker in TPM only mode.

The second vulnerability is a privilege escalation vulnerability, which they didn't release a full Proof-of-Concept for, leaving it as a "huge challenge for CTF lovers out there."

Previously released exploits include UnDefend, a tool to stop Windows Defender from getting signature updates, and RedSun, another Windows Defender exploit.

When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges.

These exploits are still unfixed according to The Register.

Make sure to keep your Windows machines updated and locked down as much as possible.