[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6hj5S5uuZYh_HI-dxawQqBJHKqSCvi4DMU4GkClrKac":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"4f82b645-bb0c-47dc-8f5e-a86d3f5d2121","Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit","microsoft-releases-mitigation-for-yellowkey-bitlocker-bypass-cve-2026-45585-expl-b76eae","Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. \"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'\" the","Microsoft has released a mitigation for CVE-2026-45585, a BitLocker security feature bypass vulnerability dubbed YellowKey that allows attackers with physical access to decrypt BitLocker-protected volumes using specially crafted files on a USB drive. The zero-day, disclosed by security researcher Chaotic Eclipse, affects multiple Windows 11 and Windows Server 2025 versions and requires only brief physical access and native Windows functionality. Microsoft recommends removing autofstx.exe from WinRE's BootExecute registry value or switching BitLocker protectors from TPM-only to TPM+PIN mode.","Microsoft releases mitigation for YellowKey BitLocker bypass CVE-2026-45585 after public disclosure.","Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit Ravie LakshmananMay 20, 2026Vulnerability \u002F Encryption Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. \"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'\" the tech giant said in an advisory. \"The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices.\" The issue impacts Windows 11 version 26H1 for x64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 25H2 for x64-based Systems, Windows Server 2025, and Windows Server 2025 (Server Core installation). YellowKey was disclosed by a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse). It essentially involves placing specially crafted 'FsTx' files on a USB drive or EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into the Windows Recovery Environment (WinRE), and triggering a shell with unrestricted access by holding down the CTRL key. \"If you did everything properly, a shell will spawn with unrestricted access to the BitLocker protected volume,\" the researcher noted in a GitHub post. Redmond noted that successful exploitation could permit an attacker with physical access to sidestep the BitLocker Device Encryption feature on the system storage device and gain access to encrypted data. \"To break encryption, YellowKey abuses a behavioral trust assumption in the recovery interface, allowing attackers to spawn an unrestricted shell with full access to the encrypted volume during the pre-boot recovery sequence,\" LevelBlue said. \"And because YellowKey doesn't require software installation, existing credentials, or network access to break encryption, any machine that has a USB port and can be rebooted can be a target.\" To address the risk, the following mitigations have been outlined: Mount the WinRE image on each device. Mount the system registry hive of the mounted WinRE image. Modify BootExecute by removing \"autofstx.exe\" value from Session Manager's BootExecute REG_MULTI_SZ value. Save and unload Registry hive. Unmount and commit the updated WinRE image. Reestablish BitLocker trust for WinRE. \"Specifically, you prevent the FsTx Auto Recovery Utility, autofstx.exe, from automatically starting when the WinRE image launches,\" security researcher Will Dormann said. \"With this change, the Transactional NTFS replaying that deletes winpeshl.ini no longer happens. It also recommends switching from TPM-only to TPM+PIN.\" Microsoft also emphasized that users can be safeguarded against exploitation by configuring BitLocker on already encrypted devices with \"TPM-only\" protector by switching to \"TPM+PIN\" mode via PowerShell, the command line, or the control panel. This will require a PIN to decrypt the drive at startup, effectively backing YellowKey attacks. On devices that are not encrypted, administrators are advised to enable the \"Require additional authentication at startup\" option via Microsoft Intune or Group Policies and ensure that \"Configure TPM startup PIN\" is set to \"Require startup PIN with TPM.\" Update In a new analysis published on May 22, 2026, LevelBlue said YellowKey eliminates the need for specialized tooling and operates entirely through native Windows functionality. \"It requires only brief physical access and does not introduce persistent hardware artifacts,\" it said. \"As a result, it becomes viable across a wider range of real-world scenarios, including device theft, border inspections, insider access, and supply chain exposure.\" It further noted that YellowKey reinforces how initial access to a decrypted volume can be expanded to a full-blown system control through a SYSTEM-level command shell, adding the WinRE component, \"autofstx.exe,\" plays a crucial role in the exploit, as it's executed via the BootExecute registry value within the WinRE environment. \"This behavior enables cross-volume TxF transaction replay in a high-privilege early boot context, forming the core mechanism behind the YellowKey exploit,\" LevelBlue said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  BitLocker, cybersecurity, encryption, Microsoft, Vulnerability, Windows, Zero-Day ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\u002FCD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fmicrosoft-releases-mitigation-for.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEh8DmW5nAG63-9iR2RmnP7i3GVJ9EBtLznscnnjROZ-DWRALYo0zsPNjUm2J6khkqSDJiX5Gmwb8sxPh4jHRcsJWFhKSdxZzz4D2f5bOahbfcnmQrUdvhyphenhyphenNVrE-LFMUhhf6rvSyxG2CoVhEFxbZSpEc0y52PM-qxwn02cDP3K3hEzf1nqcRNZEG1wOTjAiQ\u002Fs1600\u002Fbitlocker-exploit.png","2026-05-20T08:28:26+00:00","2026-05-20T10:00:18.60975+00:00",9,[18,21,24,26,28,31],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":23},"BitLocker","product",{"name":25,"type":23},"Windows 11",{"name":27,"type":23},"Windows Server 2025",{"name":29,"type":30},"Chaotic Eclipse","threat_actor",{"name":32,"type":33},"YellowKey","campaign","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":34,"icon":36,"name":37,"slug":38},null,"Vulnerabilities","vulnerabilities",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"0493c7e9-989a-4692-b4e6-136f5ec09675","Cryptography","cryptography",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",[56,60],{"type":57,"value":58,"context":59},"cve","CVE-2026-45585","BitLocker security feature bypass vulnerability (YellowKey)",{"type":61,"value":62,"context":63},"malware","autofstx.exe","FsTx Auto Recovery Utility abused in YellowKey exploit chain"]