Microsoft on Tuesday rolled out mitigations for YellowKey, a just lately disclosed zero-day vulnerability resulting in BitLocker bypass.
The problem, now tracked as CVE-2026-45585 (CVSS rating of 6.8), could be triggered by an attacker with bodily entry to a system by utilizing a USB drive containing the publicly launched YellowKey exploit code and rebooting the system into restoration mode.
As a substitute of serving the attacker the standard Home windows Restoration Surroundings (WinRE), the exploit spawns a shell, providing entry to the underlying partition’s contents, now not protected by BitLocker’s encryption.
Microsoft’s advisory acknowledges the general public exploit and its results: “A profitable attacker might bypass the BitLocker System Encryption characteristic on the system storage machine. An attacker with bodily entry to the goal might exploit this vulnerability to realize entry to encrypted knowledge.”
In its advisory, the tech large guides defenders via a multi-stage course of that entails mounting the WinRe picture on every machine, mounting the system registry hive of the picture, eradicating autofstx.exe from the mounted hive, mounting the up to date picture, and reestablishing BitLocker belief for WinRe.
The corporate additionally recommends including a PIN to BitLocker. Nonetheless, Chaotic Eclipse, the disgruntled researcher who dropped the exploit and several other different Home windows zero-days, claims that YellowKey additionally works on methods the place TPM (Trusted Platform Module) safety has been supplemented by a PIN.
The mitigations rolled out by Microsoft, Tharros Labs senior principal vulnerability analyst Will Dormann says, successfully forestall the FsTx Auto Restoration utility (autofstx.exe) from routinely working through the WinRE picture’s initiation.
The underlying vulnerability, Dormann defined final week, entails triggering FsTx from a USB drive when coming into Home windows Restoration to delete the winpeshl.ini file, which basically controls WinRE’s conduct.
The YellowKey exploit accommodates an FsTx listing that, when positioned on a USB drive, depends on Transactional NTFS replay to delete the winpeshl.ini file within the System32 folder, ensuing within the attacker being served a command immediate window with BitLocker unlocked, as an alternative of the standard restoration mode.
“Whereas the TPM-only Bitlocker bypass is certainly attention-grabbing, I feel the buried lede right here is {that a} System Quantity InformationFsTx listing on one quantity has the flexibility to change the contents of one other quantity when it’s replayed. To me, this in and of itself appears like a vulnerability,” Dormann mentioned.
