top of page

Microsoft Releases YellowKey BitLocker Bypass Mitigation Without Patch Available

  • May 20
  • 2 min read

Key Findings


  • Microsoft released mitigations for YellowKey BitLocker bypass vulnerability but no patch yet

  • CVE-2026-45585 affects Windows 11 versions 24H2, 25H2, 26H1 and Windows Server 2025 on x64 systems

  • Exploit requires physical access to machine and specially crafted FsTx files

  • Mitigation involves disabling autofstx.exe in WinRE and switching to TPM+PIN authentication

  • Chaotic Eclipse publicly released working exploit code, violating coordinated disclosure practices


Background


A week after Chaotic Eclipse publicly disclosed the YellowKey vulnerability, Microsoft acknowledged the flaw and published a response. However, the company released mitigations rather than a patch, an important distinction. The vulnerability is tracked as CVE-2026-45585 with a CVSS score of 6.8, reflecting that successful exploitation requires physical access to the target machine. This is the fifth Windows vulnerability Chaotic Eclipse has disclosed in rapid succession, following GreenPlasma, BlueHammer, RedSun, UnDefend, and MiniPlasma.


How the Attack Works


The attack is straightforward but requires hands-on access. An attacker places specially crafted FsTx files on a USB drive or directly in the EFI partition, then plugs the drive into the target machine and reboots into the Windows Recovery Environment. By holding down CTRL during startup, if done correctly, a shell spawns with unrestricted access to the BitLocker-protected volume. No brute force, no encryption keys needed - just the right files in the right place.


The Root Cause


The vulnerability stems from a component called the FsTx Auto Recovery Utility, autofstx.exe, which exists only inside the WinRE image. When the recovery environment launches, this utility automatically runs and triggers a Transactional NTFS replay that deletes winpeshl.ini. This deletion is what opens the door to the unrestricted shell access.


Microsoft's Manual Mitigation Process


Since no patch exists yet, Microsoft outlined a multi-step manual mitigation. Administrators must mount the WinRE image on each affected device, load the system registry hive from that image, and modify the BootExecute value under Session Manager to remove the autofstx.exe entry. After saving and unloading the registry hive, the WinRE image must be unmounted and committed, followed by re-establishing BitLocker trust for WinRE. This prevents the vulnerable utility from automatically starting when recovery environment launches.


Switching to TPM+PIN Authentication


The second and arguably more impactful recommendation is moving from TPM-only to TPM+PIN. TPM-only BitLocker automatically decrypts the drive at startup without user input, allowing anyone who can reboot the machine to attempt attacks like YellowKey. Adding a PIN requirement means the drive will not decrypt without correct input at startup, directly blocking the attack path.


For devices already encrypted with TPM-only protection, administrators can switch to TPM+PIN through PowerShell, command line, or control panel. For devices not yet encrypted, Microsoft recommends enabling the "Require additional authentication at startup" policy via Microsoft Intune or Group Policies and setting "Configure TPM startup PIN" to require a startup PIN with TPM.


Real-World Implications


While YellowKey requires physical access and has received a lower CVSS score because of this, it remains serious. Laptops get stolen, devices get left unattended, and in targeted scenarios physical access is exactly what adversaries possess. BitLocker exists specifically to protect data in those situations. A reliable bypass against a fully patched system undermines the entire purpose of the protection and represents a meaningful security gap.


Sources


  • https://securityaffairs.com/192449/hacking/microsoft-issues-yellowkey-mitigation-no-patch-yet.html

  • https://thehackernews.com/2026/05/microsoft-releases-mitigation-for.html

  • https://www.securityweek.com/microsoft-rolls-out-mitigations-for-yellowkey-bitlocker-bypass/amp

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page