The YellowKey Vulnerability
Microsoft has released a mitigation for a newly disclosed BitLocker bypass vulnerability known as YellowKey. The security feature bypass, which carries a moderate severity score, affects multiple versions of Windows 11 and Windows Server 2025. The flaw was publicly disclosed last week by a security researcher, breaking coordinated vulnerability disclosure practices.
The exploit involves placing specially crafted files on a USB drive or EFI partition. An attacker with physical access can plug the USB drive into a target Windows computer with BitLocker protections enabled, reboot into the Windows Recovery Environment, and trigger an unrestricted shell by holding down the CTRL key. This shell then provides full access to the encrypted volume.
Impact and Mitigation Steps
Successful exploitation could allow an attacker to circumvent BitLocker Device Encryption and access sensitive data on the system storage device. The attack does not require software installation, existing credentials, or network access. Any machine with a USB port that can be rebooted is potentially vulnerable.
To mitigate the risk, Microsoft recommends mounting the Windows Recovery Environment image on each device and applying specific updates. Organizations are advised to prioritize patching systems in physically accessible environments, such as kiosks or public terminals, where the attack vector is most viable.
Source: The Hacker News
