Microsoft on Tuesday rolled out mitigations for YellowKey, a recently disclosed zero-day vulnerability leading to BitLocker bypass.
The issue, now tracked as CVE-2026-45585 (CVSS score of 6.8), can be triggered by an attacker with physical access to a system by using a USB drive containing the publicly released YellowKey exploit code and rebooting the system into recovery mode.
Instead of serving the attacker the typical Windows Recovery Environment (WinRE), the exploit spawns a shell, offering access to the underlying partition’s contents, no longer protected by BitLocker’s encryption.
Microsoft’s advisory acknowledges the public exploit and its effects: “A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.”
In its advisory, the tech giant guides defenders through a multi-stage process that involves mounting the WinRe image on each device, mounting the system registry hive of the image, removing autofstx.exe from the mounted hive, mounting the updated image, and reestablishing BitLocker trust for WinRe.
The company also recommends adding a PIN to BitLocker. However, Chaotic Eclipse, the disgruntled researcher who dropped the exploit and several other Windows zero-days, claims that YellowKey also works on systems where TPM (Trusted Platform Module) protection has been supplemented by a PIN.
The mitigations rolled out by Microsoft, Tharros Labs senior principal vulnerability analyst Will Dormann says, effectively prevent the FsTx Auto Recovery utility (autofstx.exe) from automatically running during the WinRE image’s initiation.
The underlying vulnerability, Dormann explained last week, involves triggering FsTx from a USB drive when entering Windows Recovery to delete the winpeshl.ini file, which essentially controls WinRE’s behavior.
The YellowKey exploit contains an FsTx directory that, when placed on a USB drive, relies on Transactional NTFS replay to delete the winpeshl.ini file in the System32 folder, resulting in the attacker being served a command prompt window with BitLocker unlocked, instead of the typical recovery mode.
“While the TPM-only Bitlocker bypass is indeed interesting, I think the buried lede here is that a System Volume InformationFsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability,” Dormann said.
Related: Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVE
Related: Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’
Related: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
Related: Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
