YellowKey BitLocker – Microsoft has published mitigation steps for the Windows BitLocker zero-day flaw it calls YellowKey, now tracked as CVE-2026-45585. The vulnerability was paired with a public proof-of-concept, and the researcher behind the disclosures says the wider leak cycle
By the time Microsoft issued its advisory on Tuesday, the YellowKey vulnerability was already out of the dark. The flaw—described publicly as a backdoor—can grant access to BitLocker-protected storage on Windows. turning what’s supposed to be locked down into something attackers may be able to reach.
Microsoft says it is now tracking YellowKey under CVE-2026-45585 and has shared mitigation guidance that organizations can apply before a security update is available. “Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as “YellowKey”. The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. ” the company said in the Tuesday advisory. “We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.”.
The public proof-of-concept came last week from an anonymous security researcher known as “Nightmare Eclipse. ” who framed the technique as a way to break through BitLocker-protected drives. In the researcher’s description. exploiting the zero-day involves placing specially crafted “FsTx” files on a USB drive or an EFI partition. The next step is to reboot into Windows Recovery Environment (WinRE). From there. the PoC triggers a shell with unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key.
Microsoft’s mitigation focus lands on limiting that boot-time path. The company recommended removing the “autofstx.exe” entry from the Session Manager’s BootExecute REG_MULTI_SZ value. It then instructs administrators to reestablish BitLocker trust for WinRE by following the procedure detailed under “Mitigations” in the CVE-2026-33825 advisory.
Will Dormann. principal vulnerability analyst at Tharros. explained what the change is meant to stop: “Specifically. you prevent the FsTx Auto Recovery Utility. autofstx.exe. from automatically starting when the WinRE image launches. With this change, the Transactional NTFS replaying that deletes winpeshl.ini no longer happens.”.
Microsoft also offered steps meant to tighten BitLocker behavior around pre-boot authentication. For devices that are already encrypted. it advised configuring BitLocker from “TPM-only” mode to “TPM+PIN” mode using PowerShell. the command line. or the control panel. That setup requires a pre-boot PIN to decrypt the drive at startup and is intended to block YellowKey attacks.
For devices not yet encrypted, Microsoft said admins can enable the “Require additional authentication at startup” option via Microsoft Intune or Group Policies, ensuring that “Configure TPM startup PIN” is set to “Require startup PIN with TPM.”
The YellowKey mitigation arrives amid a broader wave of zero-day disclosures tied to the same researcher. Last month. Nightmare Eclipse disclosed BlueHammer (CVE-2026-33825) and RedSun (no identifier) local privilege escalation (LPE) zero-day flaws. both of which are now being exploited in attacks. The researcher also leaked GreenPlasma. a zero-day privilege-escalation security issue that attackers can abuse to obtain a SYSTEM shell. and UnDefend. another zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates.
What kicked off the sequence, however, remains unclear. Nightmare Eclipse said the disclosures are in protest of how Microsoft’s Security Response Center (MSRC) handled the disclosure process for other security flaws they had reported in the past.
With the YellowKey proof-of-concept public and Microsoft now urging mitigations tied to CVE-2026-45585, the message for defenders is simple: lock down the boot-time behavior first, then ensure BitLocker requires a pre-boot PIN where possible—before a full patch arrives.
Microsoft YellowKey CVE-2026-45585 BitLocker WinRE autofstx.exe FsTx cybersecurity zero-day mitigation Microsoft Defender Tharros Will Dormann MSRC proof-of-concept