The YellowKey BitLocker Bypass and What SMBs Should Do
A physical-access zero-day in the Windows Recovery Environment lets an attacker unlock BitLocker on Windows 11 and Server 2022/2025 with a USB drive. Windows 10 is unaffected. Here is the SMB-scoped threat model and interim mitigation plan while Microsoft develops a patch.
By William Bradshaw | May 18, 2026 | 5 min read
BitLocker is the encryption layer that nearly every SMB with managed Windows endpoints depends on for one specific scenario: the laptop is stolen, the drive is shipped, the disk is pulled and connected to a forensic workstation. If BitLocker is configured correctly, the attacker gets ciphertext and nothing else. That is the contract.
The YellowKey disclosure this week is a finding that the contract is broken in a specific way on Windows 11 and Windows Server 2022/2025. An attacker with physical access (the stolen-laptop scenario, exactly the one BitLocker was designed to defend) can use a specially-prepared USB drive to gain command-shell access during the Windows Recovery Environment boot path, with BitLocker already unlocked. The researcher who disclosed it described the mechanism as functioning like a backdoor because the vulnerable component ships in the official WinRE image. Microsoft has not yet released a patch.
What We Know
The disclosure landed via a series of Hacker News and Bleeping Computer posts by an anonymous researcher operating under the aliases Chaotic Eclipse and Nightmare-Eclipse, along with a companion zero-day named GreenPlasma. Public proof of concept exists for both.
| Name | Type | Prerequisites | Affected | Patch Status |
|---|---|---|---|---|
| YellowKey | BitLocker bypass via WinRE | Physical access, USB drive | Windows 11, Server 2022, Server 2025 | Unpatched |
| GreenPlasma | Local privilege escalation (CTFMON) | Unprivileged local user | Windows 11, Server 2022, Server 2025 | Unpatched (PoC incomplete) |
Windows 10 is unaffected. The vulnerable component lives in the WinRE image shipped with Windows 11 and Server 2022/2025. Older WinRE images do not contain it.
TPM-only and TPM+PIN both affected (per researcher). The researcher claims that adding a BitLocker PIN does not prevent the YellowKey bypass, because the bypass executes inside WinRE before the PIN prompt would be reached on a normal boot. Microsoft has not publicly disputed this. Practical operators should treat PIN as still beneficial (it stops a wide class of pre-WinRE attacks and is good hygiene), but not as a complete mitigation for this specific bypass until Microsoft confirms otherwise.
Which SMBs This Actually Affects
The attack requires physical access. That is the most important framing for SMB threat modeling: this is not a remote-network-attack scenario. It is the lost-laptop, stolen-laptop, seized-device, hotel-room scenario. If your laptop fleet never leaves the building, the practical exposure is much lower than the headlines suggest. If your laptop fleet is fully mobile (most SMBs in 2026), the exposure is real but bounded.
Higher-risk profiles. Employees who travel with laptops containing customer data, financial records, or regulated content (HIPAA, CJIS, state-agency data). Anyone whose device, if lost, would trigger a breach-notification obligation. Public-sector clients with documented data-protection obligations. We see this profile across our township and fire-district clients in Ohio, where state contracts often specify drive encryption as a baseline control.
Lower-risk profiles. Desktop fleets that never physically leave a controlled office. Servers in locked racks in a colocation facility. Devices that store no sensitive data and would be straightforward to wipe and re-image. For these profiles, the right response is to track Microsoft's patch release and apply it on the normal cycle, not to disrupt operations for an interim mitigation.
Interim Mitigations While Waiting for the Patch
Until Microsoft releases an official fix, the goal is to reduce the window between a lost device and the moment the data on it becomes recoverable. None of these are full mitigations on their own; layered together they make the YellowKey bypass impractical for an opportunistic attacker and slower for a targeted one.
-
1.
Inventory the affected fleet.
Confirm exactly which devices run Windows 11, Server 2022, or Server 2025 versus Windows 10. The Windows 10 portion of the fleet (if any) is not affected and does not need interim measures. For the affected fleet, prioritize laptops and any device that physically leaves a controlled facility.
-
2.
Tighten lost-device response.
Shorten the time between "this device is unaccounted for" and "this device is treated as compromised." For SMBs with Microsoft Intune, Entra ID, or a third-party MDM, that means the device-loss policy switches from "wait 24 hours then escalate" to "report immediately and trigger remote wipe within the hour." Most enterprises do this already; many SMBs do not.
-
3.
Restrict USB boot order at the firmware level.
Set the UEFI boot order to internal disk only, disable USB boot in firmware, and password-protect the firmware-settings menu. This does not stop a determined attacker (who can clear NVRAM with physical board access), but it stops the casual physical-access attempt that simply plugs in a USB and reboots. Roll this out via your MDM if possible; some OEMs expose firmware-config via Intune.
-
4.
Disable Windows Recovery Environment on high-risk devices.
Microsoft documents how to disable WinRE on a per-device basis with
reagentc /disable. This removes the recovery path entirely, which is the route YellowKey uses. The cost is that legitimate recovery operations (rolling back a bad update, rebuilding from system image) now require boot media rather than the in-OS recovery option. For laptops carrying regulated data, that trade-off is usually correct. Document the change so future incident responders know WinRE is intentionally disabled. -
5.
Keep TPM+PIN enabled if you already have it.
The researcher claims TPM+PIN does not block YellowKey, and we take that claim seriously. We still recommend keeping PIN enabled, because it remains the right control for the broader population of pre-WinRE physical-access attacks (cold-boot, DMA, evil-maid). Removing PIN to "match the unaffected configuration" would weaken posture against attacks BitLocker still does defend against.
-
6.
Watch the Microsoft Security Response Center (MSRC) advisories.
Microsoft's official patch will likely arrive via the regular monthly Patch Tuesday cycle (next window: 2026-06-10) or as an out-of-band fix if pressure builds. Subscribe to MSRC advisories directly rather than relying on third-party reporting. When the patch ships, apply it as a priority across the affected fleet and confirm WinRE is updated on each device.
A Note on GreenPlasma
The companion zero-day GreenPlasma is a Windows Collaborative Translation Framework (CTFMON) flaw that lets an unprivileged local user create section objects in directory paths normally reserved for SYSTEM. The released proof of concept is incomplete and does not yet achieve a full SYSTEM shell, but the primitive is real and would chain naturally with another local-user foothold to reach privileged code.
For SMB practical purposes this is a lower-priority issue than YellowKey because it requires an unprivileged local account on the box (so an attacker has already gotten past every other control) and because the PoC is not yet weaponized. Track it for the same Microsoft patch wave. Endpoint detection and response (EDR) tools with behavioral analytics around object creation in SYSTEM-owned directories are likely to flag exploitation attempts before damage occurs.
Need a Second Opinion on Your Endpoint Posture?
For SMBs with regulated data on mobile devices, an endpoint posture review is usually the right next step. Bullium has helped state-agency and township clients close the gap between "BitLocker is on" and "we know exactly what would happen if a laptop walks out the door." That distinction matters more this month than most.