Skip to content

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585

In a nutshell: Microsoft has patched a security vulnerability (CVE-2026-45585) that allowed attackers with physical access to bypass BitLocker encryption. Removing the "autofstx.exe" file and switching to TPM+PIN authentication can minimize the risk.

Microsoft published a security advisory on Tuesday addressing a BitLocker bypass vulnerability named YellowKey, which was publicly disclosed by security researcher Chaotic Eclipse. The zero-day vulnerability designated CVE-2026-45585 has a CVSS score of 6.8 and allows attackers with physical access to circumvent the encryption.

The vulnerability affects multiple Windows versions, including Windows 11 versions 26H1, 24H2, and 25H2 for x64 systems as well as Windows Server 2025. The YellowKey exploit specifically uses specially crafted ‘FsTx’ files on a USB drive or EFI partition. An attacker with physical access can connect the USB drive to a BitLocker-protected computer, boot into the Windows Recovery Environment (WinRE), and by holding the CTRL key trigger a shell with unrestricted access to the BitLocker-protected volume.

Microsoft has recommended several mitigation measures: The WinRE image must be deployed on each device, the system registry hive of the deployed WinRE image must be edited, and the “autofstx.exe” file must be removed from the BootExecute value. This prevents the FsTx Auto Recovery Utility from starting automatically. Alternatively, administrators can switch BitLocker devices from “TPM-only” to “TPM+PIN” mode, which requires entering a PIN when shutting down. On devices without encryption, it is recommended to enable “Additional authentication at startup required” via Microsoft Intune or Group Policies and ensure that “Configure TPM Startup PIN” is set to “Startup PIN with TPM required”.

Share on: