A rogue security researcher, known as Nightmare-Eclipse, has publicly disclosed six Microsoft Windows zero-day exploits since early April 2026, forcing rapid mitigation releases from Microsoft. The most recent exploit, dubbed YellowKey (CVE-2026-45585), is a critical BitLocker bypass that grants unrestricted access to encrypted drives with physical access. CISA has already added at least one of Nightmare-Eclipse's earlier disclosures to its Known Exploited Vulnerabilities (KEV) catalog, confirming active real-world exploitation for at least one of these vulnerabilities.
What Happened
Since early April 2026, a researcher operating under aliases like Nightmare-Eclipse, Chaotic Eclipse, and Dead Eclipse, began publicly disclosing Microsoft Windows zero-day vulnerabilities. These disclosures include several privilege escalation flaws alongside the more recently publicized BitLocker bypass. This campaign of disclosures is reportedly fueled by a personal grievance against Microsoft, with Nightmare-Eclipse claiming the company violated an agreement and "left me homeless with nothing," as detailed by Barracuda on May 19, 2026.
May 2026 saw the public unveiling of YellowKey (CVE-2026-45585), alongside other vulnerabilities like GreenPlasma and MiniPlasma. Microsoft responded swiftly, releasing a mitigation for YellowKey on May 20, 2026, as The Hacker News reported. The public release of the proof-of-concept (PoC) for YellowKey prior to a comprehensive patch violates typical coordinated vulnerability disclosure best practices, according to security researchers.
Why It Matters
The YellowKey vulnerability allows an attacker with physical access to a device to gain unrestricted access to BitLocker-encrypted drives, completely bypassing the encryption. LevelBlue researchers stated that YellowKey "can enable any attacker with physical access and a USB device to take down BitLocker's encryption and gain unfettered access to encrypted laptops in no time." This means sensitive data on stolen or lost laptops, typically thought safe with BitLocker, is directly exposed.
This risk extends to any organization relying on BitLocker for data at rest protection on Windows 10, Windows 11, and Windows Server 2016-2025 systems, particularly those with remote or hybrid workforces. The fact that CISA has already added one of Nightmare-Eclipse's earlier disclosures to its Known Exploited Vulnerabilities (KEV) catalog confirms that these aren't theoretical vulnerabilities; at least one is being actively exploited in the wild. This demands immediate attention to Microsoft's mitigations and patching schedules. If an attacker can get their hands on a device, data confidentiality is compromised.
Technical Breakdown
YellowKey (CVE-2026-45585) is a BitLocker security feature bypass vulnerability with a CVSS score of 6.8. It impacts Windows 11 versions 26H1, 24H2, and 25H2 for x64-based systems, as well as Windows Server 2025. The attack chain for YellowKey requires physical access to the target device.
Here's how it works: an attacker places specially crafted 'FsTx' files onto a USB drive or an EFI partition. They then plug the USB drive into the target Windows computer with BitLocker enabled. When the system reboots into the Windows Recovery Environment (WinRE), holding down the CTRL key at a specific point triggers a shell. This shell has unrestricted access to the encrypted volume during the pre-boot recovery sequence. The exploit abuses a "behavioral trust assumption in the recovery interface" to grant this access. No credentials, PIN, or even TPM bypass is required, making it disturbingly straightforward.
BitLocker is a locked vault, and WinRE is the vault's emergency maintenance door. The vulnerability isn't in the vault's lock itself, but in a faulty "Do Not Disturb" sign on the emergency door. By performing a specific, seemingly innocuous action (holding CTRL), the attacker effectively rips down that sign and gets full access, assuming the system must be in a recovery state and thus needs elevated access without further verification.
This attack maps closely to T1068 Exploitation for Privilege Escalation within the MITRE ATT&CK framework, as it elevates an attacker's capabilities from mere physical access to full system control and data access. Patch the vulnerable systems. Harden WinRE environments. For endpoint detection and response, tools like CrowdStrike Falcon can help identify suspicious reboots into WinRE or unusual process spawns, even if the initial exploit is pre-boot.
This vulnerability directly subverts the NIST SP 800-53 control AC-3 Access Enforcement, which requires systems to enforce authorized access to information system resources, necessitating stronger enforcement mechanisms or removal of the underlying vulnerability.
Historical Context
The concept of bypassing disk encryption through pre-boot vulnerabilities isn't new. We saw echoes of this with the "Cold Boot Attack" around 2008, where attackers with physical access could extract disk encryption keys from RAM before the memory contents decayed after a system reboot. While both require physical access and target data at rest, the mechanism differs significantly. Cold Boot relied on residual data in volatile memory; YellowKey exploits a logical flaw in the recovery environment's trust model. The YellowKey exploit also doesn't require specialized hardware or timing attacks, making it arguably easier to execute than Cold Boot for a determined attacker.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score | 6.8 | NVD |
| Zero-days disclosed | 6 | Barracuda |
| Mitigation Release | May 20, 2026 | The Hacker News |
| Affected Windows 11 | 3 versions | NVD |
| KEV Catalog Adds | At least 1 | CISA |
| Attack Type | BitLocker Bypass | LevelBlue |
The CVEDaily Take
The public disclosure of zero-days with PoCs before patches are widely available forces organizations into a reactive scramble, especially for critical flaws like this BitLocker bypass. It highlights the tension between researcher ethics and vendor responsibility, amplified by personal vendettas. We believe organizations need to understand that physical access attacks are a tangible risk, not just theoretical, particularly for devices outside secure corporate perimeters. Has your team revised your physical security controls and incident response plans for lost/stolen devices since this incident?
FAQ
Q: Does YellowKey (CVE-2026-45585) require administrative credentials or a TPM bypass?
A: No, the YellowKey exploit does not require any administrative credentials, PIN, or a TPM bypass. It leverages a "behavioral trust assumption" in the Windows Recovery Environment (WinRE) when an attacker has physical access.
Q: Which Windows versions are affected by YellowKey?
A: YellowKey (CVE-2026-45585) primarily impacts Windows 11 versions 26H1, 24H2, and 25H2 for x64-based Systems, as well as Windows Server 2025. Older versions of Windows 10 and Server 2016-2022 might also be affected if they utilize the vulnerable WinRE component, though the NVD entry specifically lists the newer versions.
Q: How can we mitigate the risk of YellowKey and similar physical access BitLocker bypasses?
A: Apply Microsoft's mitigation released on May 20, 2026, as soon as possible. Beyond patching, enforce strict physical security measures for devices, especially laptops. Consider enhancing multi-factor authentication for boot or pre-boot environments if available, and regularly back up critical data (using solutions like Veeam or Acronis) to mitigate the impact of data exfiltration from compromised devices. Also, audit and harden your WinRE configurations, if possible.
