Endpoint Security

Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass

The exploitation is mitigated by preventing the FsTx Auto Recovery Utility from starting when the WinRE image launches.

Microsoft vulnerability

Microsoft on Tuesday rolled out mitigations for YellowKey, a recently disclosed zero-day vulnerability leading to BitLocker bypass.

The issue, now tracked as CVE-2026-45585 (CVSS score of 6.8), can be triggered by an attacker with physical access to a system by using a USB drive containing the publicly released YellowKey exploit code and rebooting the system into recovery mode.

Instead of serving the attacker the typical Windows Recovery Environment (WinRE), the exploit spawns a shell, offering access to the underlying partition’s contents, no longer protected by BitLocker’s encryption.

Microsoft’s advisory acknowledges the public exploit and its effects: “A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.”

In its advisory, the tech giant guides defenders through a multi-stage process that involves mounting the WinRe image on each device, mounting the system registry hive of the image, removing autofstx.exe from the mounted hive, mounting the updated image, and reestablishing BitLocker trust for WinRe.

The company also recommends adding a PIN to BitLocker. However, Chaotic Eclipse, the disgruntled researcher who dropped the exploit and several other Windows zero-days, claims that YellowKey also works on systems where TPM (Trusted Platform Module) protection has been supplemented by a PIN.

Advertisement. Scroll to continue reading.

The mitigations rolled out by Microsoft, Tharros Labs senior principal vulnerability analyst Will Dormann says, effectively prevent the FsTx Auto Recovery utility (autofstx.exe) from automatically running during the WinRE image’s initiation.

The underlying vulnerability, Dormann explained last week, involves triggering FsTx from a USB drive when entering Windows Recovery to delete the winpeshl.ini file, which essentially controls WinRE’s behavior.

The YellowKey exploit contains an FsTx directory that, when placed on a USB drive, relies on Transactional NTFS replay to delete the winpeshl.ini file in the System32 folder, resulting in the attacker being served a command prompt window with BitLocker unlocked, instead of the typical recovery mode.

“While the TPM-only Bitlocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability,” Dormann said.

Related: Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVE

Related: Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’

Related: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Related: Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises

Related Content

Endpoint Security

The PoC exploits Microsoft Defender’s offline scan to spawn a SYSTEM shell when rebooting in Recovery Mode.

Vulnerabilities

Exploiting a race condition in Microsoft Defender, the exploit leads to local privilege escalation to SYSTEM.

Endpoint Security

Attackers are increasingly abusing Microsoft’s decades-old MSHTA utility to stealthily deliver stealers, loaders, and persistent malware through phishing, fake software downloads, and LOLBIN-based attack...

Vulnerabilities

The researcher dropped the MiniPlasma exploit that uses the original proof-of-concept (PoC) code targeting the bug.

Vulnerabilities

YellowKey is a BitLocker bypass that requires physical access. GreenPlasma enables elevation of privileges to System.

Vulnerabilities

Fresh security updates resolve critical flaws in Azure, Windows, Dynamics 365, and the SSO Plugin for Jira & Confluence.

Vulnerabilities

A fake RPC server can be used to listen for RPC requests and impersonate the target service to elevate privileges to System.

Vulnerabilities

The initial vulnerability was exploited by Russia-linked APT28 in attacks against Ukraine and EU countries.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version