A new zero‑day exploit called YellowKey lets anyone with physical access to a Windows 11 machine bypass default BitLocker encryption in seconds. The attacker copies a custom FsTx folder to a USB drive, boots the target device, and lands in a command prompt that can read or modify the encrypted disk without a recovery key.

The trick hinges on a hidden Transactional NTFS component. Researchers note that the exploit’s FsTx folder targets the \\System Volume Information\\FsTx directory, a file‑system feature normally invisible to users. By triggering this path during startup, YellowKey sidesteps the TPM‑based lock that normally protects BitLocker volumes.

Security firms confirm the attack works on stock Windows 11 builds, raising alarm for organizations that rely on BitLocker as a mandatory defense. The flaw exposes entire enterprise drives to anyone who can reach a machine, undermining a key layer of data protection.

Microsoft has not yet issued a patch, but the discovery forces IT teams to reconsider physical security and consider additional safeguards until a fix arrives.