Microsoft on Tuesday launched a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure final week.
The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS rating of 6.8. It has been described as a BitLocker security function bypass.
“Microsoft is conscious of a security function bypass vulnerability in Home windows publicly known as ‘YellowKey,'” the tech big stated in an advisory. “The proof of idea for this vulnerability has been made public, violating coordinated vulnerability finest practices.”
The difficulty impacts Home windows 11 model 26H1 for x64-based Techniques, Home windows 11 Model 24H2 for x64-based Techniques, Home windows 11 Model 25H2 for x64-based Techniques, Home windows Server 2025, and Home windows Server 2025 (Server Core set up).
YellowKey was disclosed by a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse). It basically permits putting specifically crafted ‘FsTx’ recordsdata on a USB drive or EFI partition, plugging the USB drive into the goal Home windows laptop with BitLocker protections turned on, rebooting into the Home windows Restoration Atmosphere (WinRE), and triggering a shell with unrestricted entry by holding down the CTRL key.
“When you did every part correctly, a shell will spawn with unrestricted entry to the BitLocker protected quantity,” the researcher famous in a GitHub publish.
Redmond famous that profitable exploitation might allow an attacker with bodily entry to sidestep the BitLocker System Encryption function on the system storage system and acquire entry to encrypted knowledge.
To deal with the chance, the next mitigations have been outlined:
- Mount the WinRE picture on every system.
- Mount the system registry hive of the mounted WinRE picture.
- Modify BootExecute by eradicating “autofstx.exe” worth from Session Supervisor’s BootExecute REG_MULTI_SZ worth.
- Save and unload Registry hive.
- Unmount and commit the up to date WinRE picture.
- Reestablish BitLocker belief for WinRE.
“Particularly, you stop the FsTx Auto Restoration Utility, autofstx.exe, from routinely beginning when the WinRE picture launches,” security researcher Will Dormann stated. “With this alteration, the Transactional NTFS replaying that deletes winpeshl.ini not occurs. It additionally recommends switching from TPM-only to TPM+PIN.”
Microsoft additionally emphasised that customers could be safeguarded towards exploitation by configuring BitLocker on already encrypted units with “TPM-only” protector by switching to “TPM+PIN” mode through PowerShell, the command line, or the management panel. This may require a PIN to decrypt the drive at startup, successfully backing YellowKey assaults.
On units that aren’t encrypted, directors are suggested to allow the “Require extra authentication at startup” possibility through Microsoft Intune or Group Insurance policies and be certain that “Configure TPM startup PIN” is about to “Require startup PIN with TPM.”
