Microsoft has released mitigation guidance for a BitLocker bypass vulnerability known as YellowKey. The flaw, tracked as CVE-2026-45585, allows attackers to disable encryption protections on affected Windows systems. Exploit researcher Nightmare-Eclipse published a proof of concept before coordinated disclosure.
Administrators advised to disable autofstx.exe in WinRE image and remove BootExecute entry.
The attack works by deleting the winpeshl.ini file via Transactional NTFS. This action causes the Windows Recovery Environment (WinRE) to spawn an unrestricted command shell during boot. The vulnerability carries a CVSS score of 6.8 and requires physical access to execute successfully.
Microsoft advises administrators to disable autofstx.exe in the WinRE image. IT teams must also remove its entry from the BootExecute registry value to block the exploit path. The company recommends moving high-risk devices from TPM-only BitLocker configurations to TPM+PIN mode for stronger protection.
Affected systems include Windows 11 versions 24H2, 25H2, and 26H1 on x64 architectures. Windows Server 2025 and Windows Server 2025 Server Core also face the risk. Public technical analyses flag Windows Server 2022 as potentially vulnerable under specific deployment conditions via the same WinRE recovery path flaw, though Microsoft has not yet addressed it formally in its advisory.
Windows 10 remains unaffected due to differences in its WinRE configuration. Security Week and The Hacker News reported on the mitigation steps and affected operating system versions.



Discussion
0 comments
Log in to join the thread with a thoughtful take, question, or correction.