Microsoft on Tuesday launched a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure final week.
The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS rating of 6.8. It has been described as a BitLocker safety function bypass.
“Microsoft is conscious of a safety function bypass vulnerability in Home windows publicly known as ‘YellowKey,'” the tech large stated in an advisory. “The proof of idea for this vulnerability has been made public, violating coordinated vulnerability greatest practices.”
The difficulty impacts Home windows 11 model 26H1 for x64-based Methods, Home windows 11 Model 24H2 for x64-based Methods, Home windows 11 Model 25H2 for x64-based Methods, Home windows Server 2025, and Home windows Server 2025 (Server Core set up).
YellowKey was disclosed by a safety researcher named Chaotic Eclipse (aka Nightmare-Eclipse). It primarily permits inserting specifically crafted ‘FsTx’ recordsdata on a USB drive or EFI partition, plugging the USB drive into the goal Home windows laptop with BitLocker protections turned on, rebooting into the Home windows Restoration Surroundings (WinRE), and triggering a shell with unrestricted entry by holding down the CTRL key.
“In case you did every thing correctly, a shell will spawn with unrestricted entry to the BitLocker protected quantity,” the researcher famous in a GitHub put up.
Redmond famous that profitable exploitation might allow an attacker with bodily entry to sidestep the BitLocker Gadget Encryption function on the system storage system and achieve entry to encrypted information.
To deal with the danger, the next mitigations have been outlined:
- Mount the WinRE picture on every system.
- Mount the system registry hive of the mounted WinRE picture.
- Modify BootExecute by eradicating “autofstx.exe” worth from Session Supervisor’s BootExecute REG_MULTI_SZ worth.
- Save and unload Registry hive.
- Unmount and commit the up to date WinRE picture.
- Reestablish BitLocker belief for WinRE.
“Particularly, you forestall the FsTx Auto Restoration Utility, autofstx.exe, from routinely beginning when the WinRE picture launches,” safety researcher Will Dormann stated. “With this variation, the Transactional NTFS replaying that deletes winpeshl.ini now not occurs. It additionally recommends switching from TPM-only to TPM+PIN.”
Microsoft additionally emphasised that customers will be safeguarded in opposition to exploitation by configuring BitLocker on already encrypted gadgets with “TPM-only” protector by switching to “TPM+PIN” mode by way of PowerShell, the command line, or the management panel. This may require a PIN to decrypt the drive at startup, successfully backing YellowKey assaults.
On gadgets that aren’t encrypted, directors are suggested to allow the “Require extra authentication at startup” possibility by way of Microsoft Intune or Group Insurance policies and be sure that “Configure TPM startup PIN” is about to “Require startup PIN with TPM.”
