Microsoft Releases YellowKey BitLocker Bypass Mitigation Without Patch Available
- May 20
- 2 min read
Key Findings
Microsoft released mitigations for YellowKey BitLocker bypass vulnerability but no patch yet
CVE-2026-45585 affects Windows 11 versions 24H2, 25H2, 26H1 and Windows Server 2025 on x64 systems
Exploit requires physical access to machine and specially crafted FsTx files
Mitigation involves disabling autofstx.exe in WinRE and switching to TPM+PIN authentication
Chaotic Eclipse publicly released working exploit code, violating coordinated disclosure practices
Background
A week after Chaotic Eclipse publicly disclosed the YellowKey vulnerability, Microsoft acknowledged the flaw and published a response. However, the company released mitigations rather than a patch, an important distinction. The vulnerability is tracked as CVE-2026-45585 with a CVSS score of 6.8, reflecting that successful exploitation requires physical access to the target machine. This is the fifth Windows vulnerability Chaotic Eclipse has disclosed in rapid succession, following GreenPlasma, BlueHammer, RedSun, UnDefend, and MiniPlasma.
How the Attack Works
The attack is straightforward but requires hands-on access. An attacker places specially crafted FsTx files on a USB drive or directly in the EFI partition, then plugs the drive into the target machine and reboots into the Windows Recovery Environment. By holding down CTRL during startup, if done correctly, a shell spawns with unrestricted access to the BitLocker-protected volume. No brute force, no encryption keys needed - just the right files in the right place.
The Root Cause
The vulnerability stems from a component called the FsTx Auto Recovery Utility, autofstx.exe, which exists only inside the WinRE image. When the recovery environment launches, this utility automatically runs and triggers a Transactional NTFS replay that deletes winpeshl.ini. This deletion is what opens the door to the unrestricted shell access.
Microsoft's Manual Mitigation Process
Since no patch exists yet, Microsoft outlined a multi-step manual mitigation. Administrators must mount the WinRE image on each affected device, load the system registry hive from that image, and modify the BootExecute value under Session Manager to remove the autofstx.exe entry. After saving and unloading the registry hive, the WinRE image must be unmounted and committed, followed by re-establishing BitLocker trust for WinRE. This prevents the vulnerable utility from automatically starting when recovery environment launches.
Switching to TPM+PIN Authentication
The second and arguably more impactful recommendation is moving from TPM-only to TPM+PIN. TPM-only BitLocker automatically decrypts the drive at startup without user input, allowing anyone who can reboot the machine to attempt attacks like YellowKey. Adding a PIN requirement means the drive will not decrypt without correct input at startup, directly blocking the attack path.
For devices already encrypted with TPM-only protection, administrators can switch to TPM+PIN through PowerShell, command line, or control panel. For devices not yet encrypted, Microsoft recommends enabling the "Require additional authentication at startup" policy via Microsoft Intune or Group Policies and setting "Configure TPM startup PIN" to require a startup PIN with TPM.
Real-World Implications
While YellowKey requires physical access and has received a lower CVSS score because of this, it remains serious. Laptops get stolen, devices get left unattended, and in targeted scenarios physical access is exactly what adversaries possess. BitLocker exists specifically to protect data in those situations. A reliable bypass against a fully patched system undermines the entire purpose of the protection and represents a meaningful security gap.
Sources
https://securityaffairs.com/192449/hacking/microsoft-issues-yellowkey-mitigation-no-patch-yet.html
https://thehackernews.com/2026/05/microsoft-releases-mitigation-for.html
https://www.securityweek.com/microsoft-rolls-out-mitigations-for-yellowkey-bitlocker-bypass/amp

Comments