A security researcher says Microsoft secretly built a backdoor into BitLocker, releases an exploit to prove it

Alfonso Maruccia

Posts: 2,581   +971
Staff
The Epitome of WTF: A researcher known as "Nightmare-Eclipse" recently released YellowKey, a security vulnerability that allegedly enables a full bypass of BitLocker's full-volume encryption. The researcher described YellowKey as one of the most "insane" flaws they have ever encountered and has also accused Microsoft of potentially embedding a legitimate backdoor in BitLocker's data protection system.

According to the researcher, YellowKey appears unusual for a previously unknown security bug. Nightmare-Eclipse explained that the flaw can be reproduced by copying an attached "FsTx" folder to a USB drive formatted with a Windows-compatible file system such as NTFS, FAT32, or exFAT.

Update (May 20): Microsoft has released an out-of-band mitigation for the so-called BitLocker "YellowKey" backdoor, tracked as CVE-2026-45585. The company says the flaw could allow attackers with physical access to bypass BitLocker protections under certain conditions, though it stops short of describing the issue as an intentional backdoor.

The vulnerability may also work without a USB drive if the FsTx files are copied to the Windows EFI partition and the encrypted disk is temporarily disconnected from the system. After placing the FsTx folder, an attacker would need to reboot a BitLocker-protected machine, enter the Windows Recovery Environment, and follow a specific sequence of inputs.

If the procedure is completed correctly, a command shell reportedly appears, granting unrestricted access to BitLocker-protected volumes. No passwords are required, and the encrypted data may become fully accessible for browsing, copying, and other file operations.

Nightmare-Eclipse believes that YellowKey's vulnerability could reasonably be considered a backdoor intentionally introduced into BitLocker by Microsoft. Their reasoning is that the component triggering the issue can only be found in the official WinRE image. The same component is also present in standard Windows installation images, but it does not exhibit the BitLocker-bypassing behavior observed on live systems.

The researcher explained that they "just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not."

Third-party researchers have reportedly confirmed that YellowKey behaves as described by Nightmare-Eclipse in public GitHub materials. In addition, the researcher released a second exploit, GreenPlasma, which is said to enable privilege escalation. They did not publish full proof-of-concept code for achieving SYSTEM-level access, instead suggesting they may disclose further details ahead of next month's Patch Tuesday.

Nightmare-Eclipse is known for targeting Microsoft and the company's alleged hostility toward external security researchers. Previously operating under the alias "Chaotic Eclipse," they released Red Sun and other vulnerabilities with public proof-of-concept code, while accusing Microsoft of damaging their career and reputation.

As for YellowKey's alleged backdoor behavior, mitigation is relatively straightforward. Security professionals generally recommend avoiding reliance on any single encryption system and instead evaluating well-reviewed full-disk encryption alternatives such as VeraCrypt.

Permalink to story:

 
Indeed, "Nightmare-Eclipse", previously operating under the alias "Chaotic Eclipse," is the most-trustworthiest-ever possible source. How could anyone doubt his "research", especially in the complete absence of any verifiable procedure to test it?

There are way too many instances of "reportedly", "allegedly", "may" etc. to take this seriously.
 
Huh. Always thought it was too easy to bypass bitlocker at work!

Indeed, "Nightmare-Eclipse", previously operating under the alias "Chaotic Eclipse," is the most-trustworthiest-ever possible source. How could anyone doubt his "research", especially in the complete absence of any verifiable procedure to test it?

There are way too many instances of "reportedly", "allegedly", "may" etc. to take this seriously.

Those words are specifically used to avoid culpability. Either way, semantic critique doesn't void the veracity of this bombshell whatsoever.
 
Huh. Always thought it was too easy to bypass bitlocker at work!



Those words are specifically used to avoid culpability. Either way, semantic critique doesn't void the veracity of this bombshell whatsoever.
semantic critique, seriously?
What exactly is the "bombshell"? Some guy with a preposterous infantile 'alias' claiming something?
 
Every time someone claims they found an intentional Microsoft backdoor, there are two equally loud crowds: one yelling this proves everything, and another yelling this is just undocumented legacy code from 2008 that nobody wants to touch.
 
Think about it. "apps/software" makes money for the companies that produce it.
Selling data makes A TON of money for the companies. You don't think for one
minute there isn't "backdoors" in 99.99% of the software? Especially the free
apps?
 
Indeed, "Nightmare-Eclipse", previously operating under the alias "Chaotic Eclipse," is the most-trustworthiest-ever possible source. How could anyone doubt his "research", especially in the complete absence of any verifiable procedure to test it?

There are way too many instances of "reportedly", "allegedly", "may" etc. to take this seriously.
The files and instructions are on GitHub....anyone is free to test it themselves.
 
Think about it. "apps/software" makes money for the companies that produce it.
Selling data makes A TON of money for the companies. You don't think for one
minute there isn't "backdoors" in 99.99% of the software? Especially the free
apps?
Well not 99 percent of programs. Just the corporate ones for sure. Which are usually the most used by the masses
 
Indeed, "Nightmare-Eclipse", previously operating under the alias "Chaotic Eclipse," is the most-trustworthiest-ever possible source. How could anyone doubt his "research", especially in the complete absence of any verifiable procedure to test it?

There are way too many instances of "reportedly", "allegedly", "may" etc. to take this seriously.
You bring up a good point! You not liking his alias def means he's wrong.
 
I'm not suprised if it is a genuine backdoor.

This and the fact that BitLocker destroys performance should be enough for anyone to stop using it. It's genuinely only an inconvenience at this point.
 
semantic critique, seriously?
What exactly is the "bombshell"? Some guy with a preposterous infantile 'alias' claiming something?
Yes, crying about the type of language used is a semantic argument.

The "bombshell", which you would know if you actually read the article, is that there is a claim that Bitlocker has built in backdoors, and he has released a tool to exploit this to demonstrate he is correct. If he is correct, it would destroy any claims to Bitlocker's security and anyone using it will need to look for non compromised solutions.
 
Every time someone claims they found an intentional Microsoft backdoor, there are two equally loud crowds: one yelling this proves everything, and another yelling this is just undocumented legacy code from 2008 that nobody wants to touch.
And a third one saying switch to Linux.... here I am ! Switch to Linux, guys, corporation is our enemy. Micro$oft doesn't care about people. Linux is FOSS it really belongs to us.
 
And a third one saying switch to Linux.... here I am ! Switch to Linux, guys, corporation is our enemy. Micro$oft doesn't care about people. Linux is FOSS it really belongs to us.

Corporation is our enemy, no doubt, but switching to Linux doesn't mean one won't be subject to vulnerabilities. One can just as easily switch to another encryption system on Windows. FOSS is not without ideology and control either.
 
I am not interested in this topic, but there is also hardware encryption, who needs protection can purchase something like that. You need to read the Internet and choose something reliable.
 
I'm not suprised if it is a genuine backdoor.

This and the fact that BitLocker destroys performance should be enough for anyone to stop using it. It's genuinely only an inconvenience at this point.

Lets say if I sell my PC, with a formatted drive, you'd still be able to retrieve the information that was on it at first hand. Lets say you stole my laptop, or got a hold of my external drive. The idea of bitlocker integrated was that it would made it 100x difficult to obtain my files vs the previous and ancient windows that had no encryption at all.

But people need to understand that Microsoft is no fighter in privacy, as it's heavily building in telemetry over the years, profiling users, forcing edge, bing, co-pilot and all that other stuff, and it gladly complies with goverment or official requests.

If they where to develop a bitlocker that really would have locked the thing without them getting access to it, MS would be having (legal) issues sooner or later.


 
Huh. Always thought it was too easy to bypass bitlocker at work!



Those words are specifically used to avoid culpability. Either way, semantic critique doesn't void the veracity of this bombshell whatsoever.
I once updated windows and bitlocker was disabled by some error upon reboot, my drives were wide open. :((
 
A backdoor into a Microsoft service? NOOO! Say it ain't so! _rolls_eyes_

Seriously, a lot of people called this one years ago. Who's surprised by this? Anyone?
 
Corporation is our enemy, no doubt, but switching to Linux doesn't mean one won't be subject to vulnerabilities. One can just as easily switch to another encryption system on Windows. FOSS is not without ideology and control either.
But I can guarantee you you wouldn't find one like 'put this specifically named folder on a usb stick, and these utilities exibit different behavior letting you bypass encryption.' It'd get noticed and called out almost immediately.
 
But I can guarantee you you wouldn't find one like 'put this specifically named folder on a usb stick, and these utilities exibit different behavior letting you bypass encryption.' It'd get noticed and called out almost immediately.
Fair enough. In a case like this, if this was intentional, I would ascribe it to incompetence, a poor decision, and a poor implementation, rather than malice. Only Microsoft can come up with things like this.

The culture of criticism that enthusiasts direct towards Microsoft is excellent; if Redmond makes one wrong move, people make a din (rightly so). As we've seen of late, it's working. From what I see of the Linux community, people are more diffident to criticise out of fear of being slammed, that so and so is not actually a problem, etc.
 
Indeed, "Nightmare-Eclipse", previously operating under the alias "Chaotic Eclipse," is the most-trustworthiest-ever possible source. How could anyone doubt his "research", especially in the complete absence of any verifiable procedure to test it?

There are way too many instances of "reportedly", "allegedly", "may" etc. to take this seriously.
You can test it yourself... just look for YellowKey in Github
 
Back