Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

Source: The Hacker News

Summary

Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week.
The zero‑day flaw, now tracked as CVE‑2026‑45585, carries a CVSS score of 6.8 and is described as a BitLocker security feature bypass.

“Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as ‘YellowKey.’ The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices.” – Microsoft advisory

The issue impacts:

• Windows 11 version 26H1 (x64)
• Windows 11 version 24H2 (x64)
• Windows 11 version 25H2 (x64)
• Windows Server 2025 (including Server Core installation)

Disclosure and Technical Details

YellowKey was disclosed by security researcher Chaotic Eclipse (aka Nightmare‑Eclipse). The attack involves:

1. Placing specially crafted FsTx files on a USB drive or EFI partition.
2. Plugging the USB drive into a target Windows computer with BitLocker enabled.
3. Rebooting into the Windows Recovery Environment (WinRE).
4. Holding down the CTRL key to trigger a shell with unrestricted access.

“If you did everything properly, a shell will spawn with unrestricted access to the BitLocker‑protected volume,” the researcher noted in a GitHub post.

The exploit allows an attacker with physical access to bypass BitLocker Device Encryption and read encrypted data without needing existing credentials, software installation, or network access.

“YellowKey abuses a behavioral trust assumption in the recovery interface, allowing attackers to spawn an unrestricted shell with full access to the encrypted volume during the pre‑boot recovery sequence.” – LevelBlue

Mitigation Steps

Microsoft recommends the following procedure to remediate the vulnerability:

1. Mount the WinRE image on each affected device.
2. Mount the system registry hive of the mounted WinRE image.
3. Modify BootExecute by removing the autofstx.exe entry from the Session Manager’s BootExecute REG_MULTI_SZ value.
4. Save and unload the registry hive.
5. Unmount and commit the updated WinRE image.
6. Re‑establish BitLocker trust for WinRE.

“Specifically, you prevent the FsTx Auto Recovery Utility, autofstx.exe, from automatically starting when the WinRE image launches. With this change, the Transactional NTFS replay that deletes winpeshl.ini no longer happens.” – Will Dormann

Additional Recommendations

• Switch BitLocker protector mode from TPM‑only to TPM + PIN on already encrypted devices. This can be done via PowerShell, the command line, or the Control Panel and requires a PIN at startup, effectively blocking YellowKey attacks.
• For devices that are not yet encrypted, enable “Require additional authentication at startup” through Microsoft Intune or Group Policy, and set “Configure TPM startup PIN” to “Require startup PIN with TPM.”

References

• YellowKey advisory (Microsoft)
• The Hacker News article on YellowKey
• LevelBlue analysis
• Microsoft BitLocker configuration guide
• Registry hive documentation