Morse

**Name of the Vulnerable Software and Affected Versions** Windows 11 Windows Server 2022 Windows Server 2025 **Description** A security feature bypass known as YellowKey affects the BitLocker component in Windows. This issue allows an attacker with physical access to a device to bypass full-disk encryption and gain unauthorized access to protected information without a recovery key. The attack abuses the Windows Recovery Environment (WinRE) by using a malicious `System Volume InformationFsTx` directory on a USB drive or EFI partition. By replaying NTFS transaction logs, the attacker can delete the `winpeshl.ini` file, which forces WinRE to drop to a command prompt (`cmd.exe`) while the volume remains transparently decrypted by the TPM. Once administrative shell access is gained, the `manage-bde` function can be used to extract the BitLocker Recovery Key. This specifically targets default TPM-only deployments; systems using TPM plus PIN are not exploitable via this method. **Recommendations** For Windows 11, Windows Server 2022, and Windows Server 2025, implement the following measures: - Transition from TPM-only BitLocker configurations to TPM plus PIN or a Startup Key via Group Policy. - Remove `autofstx.exe` from the WinRE `BootExecute` configuration. - Restrict and harden the Windows Recovery Environment (WinRE). - Tighten BIOS and UEFI protections and enforce strict physical access controls. - Monitor System logs for recent WinRE boot events and unexpected executions of the `manage-bde` function.