The newly disclosed BitLocker bypass, known as YellowKey, is a serious reminder that disk encryption is only as strong as the full boot and recovery chain around it. The reported issue abuses Windows Recovery Environment behavior to open a command shell while the protected drive is still unlocked, giving access to data on TPM-only BitLocker systems without user credentials. That makes physical access, recovery partitions, USB boot behavior, BIOS settings, and boot-chain hardening extremely important, not optional “IT housekeeping.”

Organizations should review BitLocker configurations immediately, especially systems relying only on TPM auto-unlock. Until Microsoft releases a fix, enterprises should consider stronger pre-boot controls such as BitLocker PINs where appropriate, BIOS/UEFI passwords, restricting external boot, securing WinRE access, and monitoring for unusual local privilege activity. Encryption is not magic dust sprinkled over a laptop; if the recovery environment can be abused, the attacker may not need to “break” encryption at all. They simply walk through the door the system kindly opened for them.

A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. [...]

Source: Windows BitLocker zero-day gives access to protected drives, PoC released via Bleeping Computer — published 13 May 2026.