Full Report
Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. "Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'" the
Analysis Summary
# Vulnerability: YellowKey BitLocker Security Feature Bypass
## CVE Details
- **CVE ID:** CVE-2026-45585
- **CVSS Score:** 6.8 (Medium)
- **CWE:** Not explicitly stated (Security Feature Bypass)
## Affected Systems
- **Products:**
- Windows 11
- Windows Server 2025
- **Versions:**
- Windows 11 Version 26H1 for x64-based Systems
- Windows 11 Version 24H2 for x64-based Systems
- Windows 11 Version 25H2 for x64-based Systems
- Windows Server 2025 (including Server Core installation)
- **Configurations:** Systems utilizing BitLocker Device Encryption with "TPM-only" protectors.
## Vulnerability Description
YellowKey is a security feature bypass vulnerability that resides in the Windows Recovery Environment (WinRE). The flaw involves a logic error during the Transactional NTFS replaying process. An attacker can use specially crafted 'FsTx' files on an external USB drive or EFI partition to interfere with the boot process. By triggering WinRE and manipulating the execution of `autofstx.exe` (the FsTx Auto Recovery Utility), the vulnerability allows for the deletion of `winpeshl.ini` and the spawning of a command shell with unrestricted access to the BitLocker-protected volume.
## Exploitation
- **Status:** Publicly disclosed; Proof of Concept (PoC) available.
- **Complexity:** Low (requires specific physical steps but follows a documented sequence).
- **Attack Vector:** Physical (requires physical access to the device and the ability to insert a USB drive).
## Impact
- **Confidentiality:** High (Full access to encrypted data on the system storage device).
- **Integrity:** High (Unrestricted shell access allows for system modification).
- **Availability:** High (Potential to modify or delete critical system files).
## Remediation
### Patches
- Microsoft has released an official mitigation advisory and is tracking the issue via CVE-2026-45585. Users should apply the latest Windows Updates as they become available for their specific versions.
### Workarounds
- **Configure TPM+PIN:** The primary defense is switching from "TPM-only" authentication to "TPM+PIN." This requires a user-defined PIN at startup, which blocks the bypass.
- **Manual WinRE Modification:**
1. Mount the WinRE image.
2. Mount the system registry hive.
3. Modify `BootExecute` by removing the `autofstx.exe` value from the Session Manager’s `REG_MULTI_SZ` key.
4. Unmount and commit the image, then reestablish BitLocker trust.
## Detection
- **Indicators of Compromise:** Presence of unauthorized 'FsTx' files on the EFI partition or recently connected USB drives.
- **Detection methods:** Monitor for unauthorized entry into Windows Recovery Environment (WinRE) and subsequent elevation to a command shell. Audit BitLocker configuration status to ensure "TPM+PIN" is active.
## References
- **MSRC Advisory:** hxxps://msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45585
- **Technical Disclosure:** hxxps://thehackernews[.]com/2026/05/windows-zero-days-expose-bitlocker[.]html
- **Configuration Guide:** hxxps://learn[.]microsoft[.]com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure