Microsoft Rushes Out Emergency Mitigation For ‘YellowKey’ BitLocker Bypass Vulnerability

Microsoft Safety Response Heart has issued an emergency mitigation for a newly disclosed BitLocker bypass vulnerability referred to as “YellowKey,” after safety researchers publicly launched proof-of-concept exploit code able to circumventing Home windows disk encryption protections.

The flaw, formally tracked as CVE-2026-45585, impacts a number of fashionable variations of Home windows and Home windows Server and has intensified considerations throughout the cybersecurity neighborhood over the safety of Trusted Platform Module (TPM)-only encryption deployments.

Though Microsoft has not but launched a full safety patch, the corporate confirmed Tuesday that it’s actively working to mitigate exploitation dangers after researchers disclosed technical particulars and assault directions on-line.

The vulnerability carries a CVSS severity rating of 6.8 and has been categorised as a “safety function bypass,” that means attackers can circumvent built-in protections with out essentially exploiting distant code execution or privilege escalation flaws.

YellowKey was publicly disclosed by unbiased safety researcher Chaotic Eclipse, who revealed technical findings and exploit demonstrations exhibiting how BitLocker-encrypted methods might be accessed in the course of the Home windows Restoration Setting (WinRE) boot course of.

The assault abuses a belief relationship contained in the Home windows restoration workflow by inserting specifically crafted “FsTx” recordsdata onto a USB drive or EFI partition. As soon as inserted right into a susceptible machine, the attacker can reboot the machine into WinRE and set off an unrestricted command shell in the course of the restoration course of.

The exploit reportedly succeeds by holding the CTRL key at a particular stage throughout restoration initialization, inflicting the system to spawn a shell with elevated privileges and unrestricted entry to the encrypted quantity.

In a technical write-up revealed on-line, the researcher said:

“In case you did every thing correctly, a shell will spawn with unrestricted entry to the BitLocker protected quantity.”

The vulnerability successfully undermines one in every of BitLocker’s core assumptions: that pre-boot restoration operations may be trusted earlier than authentication is totally enforced.

In an advisory revealed Tuesday, Microsoft acknowledged that exploit code for YellowKey is already publicly out there, elevating the probability of real-world abuse.

“Microsoft is conscious of a safety function bypass vulnerability in Home windows publicly known as ‘YellowKey,’” the corporate stated. “The proof of idea for this vulnerability has been made public, violating coordinated vulnerability finest practices.”

The corporate stopped wanting confirming lively exploitation within the wild however warned that attackers with bodily entry to focused methods might doubtlessly bypass BitLocker System Encryption protections and entry delicate knowledge saved on encrypted drives.

The disclosure has reignited long-standing business considerations over assaults concentrating on bodily entry eventualities, particularly in opposition to laptops, enterprise endpoints, authorities methods, and gadgets misplaced or stolen throughout journey.

Microsoft stated the flaw impacts the next working methods:

• Home windows 11 Model 24H2 for x64-based Techniques
• Home windows 11 Model 25H2 for x64-based Techniques
• Home windows 11 Model 26H1 for x64-based Techniques
• Home windows Server 2025
• Home windows Server 2025 Server Core installations

Organizations counting on TPM-only BitLocker authentication are notably uncovered.

Not like conventional malware assaults that require phishing emails, malicious downloads, or community compromise, YellowKey operates completely via bodily entry and pre-boot manipulation.

The assault as particularly harmful as a result of it bypasses encryption with out requiring credentials or administrative entry.

To interrupt encryption, YellowKey abuses a behavioral belief assumption within the restoration interface, permitting attackers to spawn an unrestricted shell with full entry to the encrypted quantity in the course of the pre-boot restoration sequence.

The exploit’s simplicity considerably will increase its potential affect as a result of YellowKey would not require software program set up, current credentials, or community entry to interrupt encryption, any machine that has a USB port and may be rebooted could be a goal.

The vulnerability might be notably problematic for:

• Company laptops
• Authorities-issued gadgets
• Shared workstations
• Border-crossing vacationers
• Knowledge heart restoration methods
• Misplaced or stolen endpoints

The assault additionally highlights a rising class of “evil maid” assaults — eventualities through which adversaries briefly acquire bodily entry to a machine and manipulate the boot atmosphere or firmware.

Safety researcher Will Dormann defined that YellowKey exploits how Home windows Restoration Setting robotically launches the FsTx Auto Restoration Utility, referred to as autofstx.exe.

In keeping with Dormann, the mitigation really useful by Microsoft disables this computerized restoration habits, stopping Transactional NTFS replay operations that allow the assault chain.

“Particularly, you forestall the FsTx Auto Restoration Utility, autofstx.exe, from robotically beginning when the WinRE picture launches,” Dormann defined.

The difficulty seems rooted in how WinRE handles restoration scripts and transactional file operations earlier than BitLocker authentication totally secures the quantity.

Restoration environments are sometimes missed in enterprise hardening applications regardless of being extremely privileged elements of the working system.

Till a everlasting patch is launched, Microsoft is advising directors to manually modify Home windows Restoration Setting configurations.

The mitigation course of contains:

Directors should first mount the restoration picture on every affected machine.

The system registry hive related to the mounted WinRE picture should then be loaded manually.

Microsoft recommends eradicating the autofstx.exe entry from the BootExecute registry worth underneath Session Supervisor.

After the registry modification, directors should save modifications, unload the registry hive, and re-commit the modified WinRE picture.

Organizations should then reconfigure BitLocker belief relationships to make sure the modified restoration atmosphere is acknowledged as safe.

Mitigation course of might require cautious testing earlier than broad deployment in enterprise environments, notably on methods utilizing custom-made restoration partitions or automated provisioning workflows.

Maybe essentially the most important side of Microsoft’s advisory is its sturdy advice that organizations abandon TPM-only BitLocker authentication.

The corporate urged customers emigrate to TPM+PIN configurations, which require customers to enter a startup PIN throughout boot along with TPM validation.

Underneath TPM-only mode, the Trusted Platform Module robotically unlocks the encrypted drive throughout startup if system integrity checks go. Whereas handy, the configuration has lengthy confronted criticism from safety researchers who argue it offers inadequate safety in opposition to refined bodily assaults.

Microsoft stated organizations can allow TPM+PIN utilizing:

• PowerShell
• Command-line utilities
• Microsoft Intune
• Group Coverage
• Management Panel administrative settings

For methods not but encrypted, directors are suggested to allow the coverage:

“Require further authentication at startup”

They need to additionally configure:

“Configure TPM startup PIN” → “Require startup PIN with TPM”

The advice displays a broader business shift towards layered pre-boot authentication as an alternative of relying completely on hardware-backed belief.

The publication of working proof-of-concept exploit code earlier than a patch grew to become out there has sparked renewed debate over coordinated vulnerability disclosure practices.

Microsoft criticized the general public launch, stating the disclosure violated “coordinated vulnerability finest practices.”

Nonetheless, some researchers argue that public disclosure pressures distributors to maneuver quicker on mitigations and helps defenders assess real-world publicity extra precisely.

The talk displays rising tensions inside the cybersecurity business over how shortly exploit particulars must be launched after vulnerabilities are found.

The emergence of YellowKey underscores a broader actuality dealing with enterprise defenders: encryption alone just isn’t at all times ample if restoration and boot environments stay susceptible.

Trendy assaults more and more goal:

• Firmware
• UEFI elements
• Restoration partitions
• Bootloaders
• Pre-authentication workflows

As organizations proceed adopting hardware-based encryption at scale, consultants warn that attackers are shifting consideration towards trusted boot paths and restoration mechanisms that always obtain much less scrutiny.

Safety groups at the moment are being urged to:

• Audit BitLocker deployment configurations
• Disable pointless restoration performance
• Implement TPM+PIN insurance policies
• Prohibit USB boot entry
• Harden BIOS/UEFI settings
• Monitor for unauthorized WinRE modifications

For a lot of enterprises, YellowKey might grow to be a pivotal reminder that bodily entry stays one of the crucial harmful risk vectors in fashionable cybersecurity.

Microsoft has not but introduced when a full safety replace addressing CVE-2026-45585 will grow to be out there.