Full Report
Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives. [...]
Analysis Summary
# Vulnerability: YellowKey BitLocker Security Feature Bypass
## CVE Details
- **CVE ID:** CVE-2026-45585
- **CVSS Score:** Not yet finalized (Estimated High severity due to bypass of disk encryption)
- **CWE:** CWE-287 (Improper Authentication) / CWE-254 (Security Features)
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Impacted versions include those utilizing BitLocker with WinRE (Windows Recovery Environment) integration.
- **Configurations:** Systems configured with BitLocker in "TPM-only" mode are specifically vulnerable.
## Vulnerability Description
YellowKey is a security feature bypass vulnerability in Windows BitLocker. The flaw resides in the interaction between the Windows Recovery Environment (WinRE) and the **FsTx Auto Recovery Utility** (`autofstx.exe`).
Technically, the vulnerability involves Transactional NTFS (TxF) replaying. By placing specially crafted 'FsTx' files on a USB drive or EFI partition and booting into WinRE, an attacker can trigger a process where `autofstx.exe` deletes `winpeshl.ini`. By holding the CTRL key during this sequence, the attacker can break out into a shell with unrestricted access to the protected BitLocker storage volume, bypassing the expected encryption protections.
## Exploitation
- **Status:** Exploited in the wild; Proof-of-Concept (PoC) available.
- **Complexity:** Medium (Requires specific file placement and manual interaction during boot).
- **Attack Vector:** Physical (Requires physical access to the device to insert media and interact with the boot process).
## Impact
- **Confidentiality:** High (Total access to encrypted drive data).
- **Integrity:** High (Ability to modify system files on the protected volume).
- **Availability:** Low (Primary impact is data exposure rather than system denial).
## Remediation
### Patches
- **Status:** No official security update is available at this time. Microsoft is working on a permanent fix.
### Workarounds
- **Registry Modification:** Remove the `autofstx.exe` entry from the Session Manager's `BootExecute` (REG_MULTI_SZ) value. This prevents the utility from automatically starting when WinRE launches.
- **Authentication Upgrade:** Transition BitLocker from "TPM-only" mode to **"TPM+PIN"** mode. This requires a pre-boot PIN to decrypt the drive, effectively blocking the YellowKey attack vector.
- **Group Policy:** Enable "Require additional authentication at startup" and ensure "Configure TPM startup PIN" is set to "Require startup PIN with TPM."
## Detection
- **Indicators of Compromise:** Presence of unauthorized `FsTx` files on the EFI partition or connected USB drives.
- **Detection Methods:** Monitor for unauthorized changes to the `BootExecute` registry key or unexpected deletions of `winpeshl.ini` within the WinRE environment.
## References
- Microsoft Security Advisory: hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45585
- Researcher Disclosure: Nightmare Eclipse (via BleepingComputer)
- Community Analysis: Will Dormann (Tharros) hxxps[://]infosec[.]exchange/@wdormann/116604563324444723