Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

Briefly

"YellowKey affects Windows 11 and Windows Server 2022/2025. At a high level, it involves copying specially crafted "FsTx" files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key."

"YellowKey as "one of the most insane discoveries I ever found," likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment ( WinRE), a built-in framework designed to troubleshoot and repair common unbootable operating system issues."

""I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden," the researcher explained. "Second thing is, no, TPM+PIN does not help, the issue is still exploitable regardless.""

""I was able to reproduce [YellowKey] with a USB drive attached," adding, "it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.""