VULNERABILITY OVERVIEW
A security feature bypass in Windows Recovery Environment (WinRE) allows an attacker with physical access to unlock BitLocker-protected drives on TPM-only configurations without credentials by placing specially crafted FsTx files on a USB drive or EFI partition and triggering a command shell via the CTRL key during WinRE boot. Researcher Chaotic Eclipse (Nightmare-Eclipse) published a public PoC on May 13, 2026 and described the flaw as functioning 'like a backdoor'; Trend Micro detected active in-the-wild use shortly after PoC release. CISA added it to KEV on May 20. The June 9 Patch Tuesday update includes the permanent fix; pre-patch mitigation requires switching from TPM-only to TPM+PIN.
CVSS BREAKDOWN
↗
Attack Vector
PHYSICAL
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:N
AFFECTED VERSIONS
Windows 11 (23H2, 24H2, 25H2) and Windows Server 2022/2025 with TPM-only BitLocker protection; patched in June 2026 Patch Tuesday cumulative updateCITATIONS
- → CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → BleepingComputer: https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
- → Tenable June 2026 Patch Tuesday: https://www.tenable.com/blog/microsofts-june-2026-patch-tuesday-addresses-198-cves-cve-2026-49160-cve-2026-50507
- → The Hacker News: https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html