Key Takeaway
A publicly disclosed and widely unpatched zero-day vulnerability, named YellowKey, permits anyone with physical access to a device running Windows 11 or Windows Server 2022/2025 to bypass BitLocker full-disk encryption (Microsoft's built-in tool that acts like a digital vault for a computer's entire hard drive) and read protected data without a password or recovery key. Organizations that rely on BitLocker as a primary or sole data-protection control should reassess their risk posture immediately.
Background: What Is YellowKey?
On May 12, 2026, a security researcher publicly released a working proof-of-concept exploit on GitHub, named YellowKey.1 The exploit targets a feature within the Windows Recovery Environment (WinRE), a built-in recovery tool in the Windows operating system. When executed correctly, an attacker can bypass BitLocker's full-volume encryption on Windows 11 and Windows Server 2022/2025 systems to access the contents of the system without the decryption key. Windows 10 is reportedly not affected.
The attack is remarkably simple. An attacker copies a specially crafted folder structure onto a USB drive or to a hidden system partition on the target device's hard drive and reboots the machine into Windows recovery menu while holding down the control (Ctrl) key. Rather than launching the normal Windows recovery environment, the system gives the attacker full access to the device's decrypted contents via a command-line interface. Importantly, this exploit does not require a recovery key, password, or specialized hardware.
Compliance Considerations
The researcher disclosed the vulnerability outside of a coordinated disclosure process and before any official patch had been issued. The absence of an official patch, combined with a publicly available proof-of-concept, creates immediate compliance exposure across several regulatory frameworks.
- Data protection regulations (GLBA, CCPA/CPRA, HIPAA, state data security laws). Most data protection regimes require organizations subject to these laws to implement "reasonable" or "appropriate" technical safeguards for stored personal data. Where BitLocker is deployed as the primary encryption control for endpoints (including laptops, desktops, or servers) holding regulated personal data, organizations face a clear compliance risk: a known vulnerability2 with a published exploit may undermine the reasonableness of that control. Regulators assessing post-incident technical measures are increasingly sophisticated.
- FTC Act and state unfair or deceptive practices standards. Organizations that have publicly represented their endpoint security posture (including representations in privacy notices, customer contracts, or marketing materials) may have an obligation to review those representations, particularly where BitLocker encryption is foundational to representations relating to encryption. They should review whether those representations remain accurate in light of a known, unmitigated vulnerability in a core encryption tool.
- Cyber insurance policies. Many cyber insurance policies require the insured to implement and maintain security controls that either meet industry standards or match the security measures they described when applying for the policy. Where BitLocker was cited as a primary encryption control, carriers may scrutinize whether failure to implement available mitigations (such as enabling supplemental encryption layers) constitutes a material breach of policy conditions.
Incident Response Considerations
YellowKey does not, by itself, constitute a security incident for any particular organization. However, it elevates the risk of a physical-access data breach and should inform incident response planning in several respects.
- Reassess physical access as an avenue of attack. Many incident response programs treat physical access threats as lower-priority than remote cyberattacks. YellowKey (which requires only minutes of physical contact with a device) warrants revisiting that prioritization, particularly for organizations with distributed workforces, shared workspaces, or devices transported in high-risk environments.
- Update data breach trigger analysis. Organizations experiencing device loss or theft, including incidents that pre-date this disclosure, should reevaluate whether those events now cross applicable legal obligations to notify affected individuals or regulators. If a lost or stolen device running Windows 11 or Server 2022/2025 was assumed to be protected by BitLocker (and where notification decisions were made on the basis of this protection), the data on that device may be decrypted. Where a lost or stolen device running Windows 11 or Server 2022/2025 was previously treated as protected-by-BitLocker and therefore outside notification obligations, information stored on those devices may be decrypted.
Implement compensating controls now. While an official patch has not yet been widely deployed, organizations should consider:
(1) enforcing BIOS/UEFI passwords (which prevents direct tampering with the boot-up sequence) and limiting the ability to boot from USB drives or external devices;
(2) deploying enhanced physical security and asset tracking, including with remote-wipe capabilities or automations; and
(3) implementing supplemental encryption solutions on devices that could be physically accessed or stolen.
Wilson Sonsini specializes in helping companies navigate complex privacy and data security issues. For more information, please contact Demian Ahn, Colin Black, Laura Brodahl, Joseph “Tony” Misher, or any member of the firm’s Data, Privacy, and Cybersecurity practice.
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585.
[2] https://www.threatlocker.com/blog/what-yellowkey-and-greenplasma-zero-day-exploits-reveal-about-trusting-native-windows-security.
