In a striking development, a new zero-day exploit known as YellowKnight has surfaced, targeting Windows 11's default BitLocker encryption. This vulnerability allows anyone with physical access to a device to break into the encrypted drive in seconds, completely bypassing the standard protections. The exploit, detailed by researcher Nightmare-Eclipse, takes advantage of a custom folder called FsTx, which manipulates file transactions to trick the system into leaking the decryption key stored in the Trusted Platform Module (TPM). This discovery is alarming for organizations that rely on BitLocker for compliance. Below, we answer key questions about this exploit and its implications.

What Is the YellowKnight Exploit?

YellowKnight is a zero-day exploit that circumvents default BitLocker protections on Windows 11 systems when an attacker has physical access. Published by the researcher Nightmare-Eclipse, it reliably breaks into encrypted drives within seconds. Unlike many exploits that require remote access, this one demands the attacker be near the machine—plugging in a USB or booting from a custom device. The exploit exploits a gap in how BitLocker interacts with the TPM, the hardware security chip that stores the decryption key. By creating a specially crafted FsTx folder, which leverages transactional NTFS, the exploit tricks Windows into exposing the key, granting full access to the drive's contents. This represents a serious threat for anyone relying on BitLocker's default configuration as their sole encryption method.

How Does the FsTx Folder Enable the Attack?

The core of YellowKnight lies in a custom FsTx folder. The directory name references fstx.dll, a component associated with Transactional NTFS — a feature that allows file operations to be performed atomically, meaning changes across multiple files either all succeed or all fail. The exploit uses this folder to manipulate the system's file transactions. When an attacker boots a Windows 11 device with a specially prepared USB drive, the FsTx folder triggers a sequence where Windows mistakenly exposes the TPM-protected decryption key. Essentially, the transactional atomicity is subverted into revealing secrets it should keep locked. This is not a simple bug but a precise manipulation of complex file system interactions, making it tricky for standard defenses to catch. The exploit works specifically because the default BitLocker setup does not add extra user authentication, such as a PIN or USB key, leaving it vulnerable to this physical bypass.

Who Is Affected by This Exploit?

This exploit primarily affects Windows 11 systems using default BitLocker settings — meaning the encryption is enabled without requiring additional authentication like a startup PIN or a separate USB key. Many organizations, especially those contracting with governments, mandate BitLocker as a full-volume encryption solution to protect data at rest. However, the default configuration, which relies solely on the TPM to store the decryption key, is now shown to be insufficient against physical attacks. Consumers with Windows 11 Home or Pro devices using default BitLocker are also at risk if an attacker gains physical possession of the machine. The exploit does not affect systems using additional authentication layers, such as a pre-boot PIN, or those with third-party encryption tools. It is a wake-up call for IT administrators to reassess their encryption policies beyond the default settings.

Why Is a Physical Access Exploit Dangerous?

While remote attacks grab headlines, physical access exploits like YellowKnight are equally dangerous because they bypass many network-based defenses. Once an adversary can physically connect to a device — by stealing the laptop, plugging in a USB during a moment of unattended use, or booting from an external drive — traditional security tools (antivirus, firewalls) are often powerless. The attacker can read, copy, or modify encrypted data without triggering alerts. Furthermore, the speed of this exploit (seconds) means an attacker can extract sensitive data in low-risk situations, such as a few minutes in a hotel room or a brief break-in at an office. For organizations dealing with classified or proprietary information, this vulnerability undermines the trust placed in hardware-based encryption. It also highlights the importance of physical security measures, like locked rooms and tamper-evident seals, alongside software protections.

How Can Users Protect Against YellowKnight?

To guard against this exploit, users must move beyond default BitLocker configurations. The most effective step is to enable additional authentication during startup, such as a TPM + PIN or a TPM + startup key (USB). This requires the attacker to have not only physical access but also the PIN or USB device, significantly raising the bar. IT administrators should deploy Group Policy settings to enforce these enhanced protections across all Windows 11 devices. Another layer is to use BitLocker Network Unlock for domain-joined computers, ensuring drives unlock only when connected to a trusted corporate network. Also, keeping Windows updated is crucial, as Microsoft may release patches to mitigate the exploit. However, since this is a design-level bypass, a firmware or software update may not fully fix it. Ultimately, organizations should consider full-disk encryption solutions that integrate multi-factor authentication at boot.

Will Microsoft Patch the YellowKnight Exploit?

As of now, Microsoft has not released an official patch for YellowKnight. The exploit exploits a fundamental interaction between BitLocker and the TPM through the transactional NTFS feature — a design decision rather than a simple code bug. Patching it may require significant changes to the boot process or to how FsTx folders are handled. Microsoft might issue a security advisory recommending configuration changes (like adding a PIN) rather than a hotfix. However, history shows that Microsoft does respond to such physical attacks: they previously added support for TPM + PIN configurations after similar exploits. Given the exploit's specificity to default settings, the company may also update documentation to warn users. Until a fix arrives, relying on the default BitLocker setup is risky. Users should monitor Microsoft's Security Response Center (MSRC) for updates, and in the meantime, implement the mitigations described above.