{"id":17203,"date":"2026-05-13T09:29:16","date_gmt":"2026-05-13T16:29:16","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=17203"},"modified":"2026-05-13T09:30:21","modified_gmt":"2026-05-13T16:30:21","slug":"microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-apparent-backdoor","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/05\/13\/microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-apparent-backdoor\/","title":{"rendered":"Microsoft Bitlocker-Protected Drives Can Now Be Opened With Just Some Files on a USB Stick \u2014 Apparent Backdoor"},"content":{"rendered":"\n

I believe these exploits are there on purpose and not patched, as they can be used by intelligence to get into systems. We’ve already learned law enforcement can subpoena the unlock key from Microsoft in criminal prosecutions. Suffices to say, don’t depend on Microsoft and their drive encryption scheme if you need to protect data. This is also why Android and iOS devices can be broken into with commercial products sold to law enforcement and governments with their encryption defeated as well… The only secure option at the moment is a Graphene OS phone, and why Google is working to sideline the project<\/a>,.. <\/p>\n\n\n\n

https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-yellowkey-zero-day-exploit-demonstrates-an-apparent-backdoor<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n

By Bruno Ferreira <\/p>\n\n\n\n

Also, it’s a twofer with the GreenPlasma zero-day local privilege escalation.<\/p>\n\n\n\n

\"Falling
(Image credit: Getty Images)<\/figcaption><\/figure>\n\n\n\n

There’s nothing more dangerous than a bored engineer with a screwdriver, and hell hath no fury like a security<\/a> researcher scorned. Last month, Security researcher Chaotic Eclipse<\/a> (aka Nightmare-Eclipse<\/a>) published two zero-day exploits, BlueHammer<\/a> and RedSun<\/a>, that made Windows Defender offer up system administrator privileges. They did this after their disclosure reports were allegedly dismissed<\/a> by Microsoft’s security team, resulting in a vendetta of sorts. Eclipse has now done it again, posting two new zero-day exploits, the first one an extremely serious BitLocker exploit named Yellow Key that grants full access to a locked drive. The second one, GreenPlasma, doesn’t have a complete proof-of-concept (PoC), but it allegedly performs a local privilege escalation and gains system-level access. Given Eclipse’s track record, it’s a fair bet that it works as advertised.<\/p>\n\n\n\n

YellowKey can be triggered simply by merely copying some files to a USB stick and rebooting to the Windows Recovery Environment. We tested this ourselves, and sure enough, not only does it work, it bears all the hallmarks of a backdoor, down to the exploit’s files disappearing from the USB stick after it’s used once.<\/p>\n\n\n\n

The process is dead simple: grab any USB stick, get write access to the “System Volume Information,” and copy into it the “FsTx” folder and its contents. Shift+click Restart to get Windows to the recovery environment, but then switch to holding down the Control key and don’t let go. The machine will reboot, and without asking any questions or showing any menus, will drop you in an elevated command line with full access to the formerly Bitlocked drive, without asking for any keys. You may like<\/p>\n\n\n\n

\"YellowKey
Look ma, no keys! (Image credit: Future)<\/figcaption><\/figure>\n\n\n\n

To say that this is dangerous is an understatement. Not only is it an immediate concern as BitLocker cannot be trusted for encrypting drives, but the way the exploit executes and its files disappear also raises very uncomfortable corporate and\/or political questions. YellowKey also reportedly<\/a> works in Windows Server 2022 and 2025, but not in Windows 10.<\/a><\/p>\n\n\n\n

BitLocker protects millions of machines worldwide across home, enterprises, and governments, especially as it’s enabled by default in Windows 11<\/a>. As far as we can tell, a drive can’t be taken from machine Alice and opened in machine Bob because the encryption keys are in Alice’s TPM, but it’s not hard to just up and steal a laptop, mini-PC, or even desktop.<\/p>\n\n\n\n

Eclipse notes<\/a> that using a full TPM-and-PIN setup doesn’t help, as apparently, they have a variant for that scenario that they haven’t published a PoC for. They also state the vulnerability is well-hidden, and that they “could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft<\/a>.”<\/p>\n\n\n\n

As for GreenPlasma, it’s supposed to get an attacker full system-level access (even higher than administrator) by manipulating the CTFMon process into placing a crafted memory section object \u2014 a slice of memory that can be shared between processes or mapped to a file \u2014 in any Windows’ Object Manager section the SYSTEM user has write access to, bypassing regular access controls.<\/p>\n\n\n\n

From thereon, the exploit code can get access to regions of memory they’re not meant to and leverage that for any number of shenanigans, the most obvious one being getting full system access. This is bad enough for a desktop system, as any program can get full access, but it’s particularly bad for server environments, where any regular user can get control of the server and, by extension, everyone else’s data.<\/p>\n\n\n\n

Meanwhile, as of this writing, there is no official response from the company about YellowKey or GreenPlasma. BlueHammer has already been patched, and Chaotic claims that Microsoft silently patched RedSun, but there’s no official word on that either.<\/p>\n","protected":false},"excerpt":{"rendered":"

I believe these exploits are there on purpose and not patched, as they can be used by intelligence to get into systems. We’ve already learned law enforcement can subpoena the unlock key from Microsoft in criminal prosecutions. Suffices to say, don’t depend on Microsoft and their drive encryption scheme if you need to protect data. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17203","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17203"}],"version-history":[{"count":2,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17203\/revisions"}],"predecessor-version":[{"id":17205,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17203\/revisions\/17205"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}