YellowKey BitLocker Bypass Vulnerability

Been a while since I saw a BitLocker bypass around, my turn.

This is one of the most insane discoveries I ever found, almost feels like a backdoor, but what do you know, maybe I'm just insane.

How to reproduce:

Copy the FsTx folder to YourUSBStick:\System Volume Information\FsTx as-is and make sure to use a filesystem that's compatible with Windows. NTFS is preferable, but FAT32/exFAT should work as well.

Plug the USB stick into the target Windows computer with BitLocker protection turned on.

Reboot to Windows Recovery Environment Agent. You can do this by holding SHIFT and clicking the restart button.

Once you click restart, lift your finger off SHIFT and hold CTRL. Do not lift your finger off it.

If done properly, a shell will spawn with unrestricted access to the BitLocker-protected volume.

Now why would I say this is a backdoor? The component responsible for this bug is not present anywhere, even on the internet, except inside the WinRE image. What raises suspicion is that the exact same component is also present with the exact same name in a normal Windows installation, but without the functionality that triggers the BitLocker bypass issue.

Why? I just can't come up with an explanation besides the fact that this was intentional.

Also, for whatever reason, only Windows 11, Server 2022, and Server 2025 are affected. Windows 10 is not.

A huge thanks to MORSE, MSTIC, and Microsoft GHOST for making this public disclosure possible.