Skip to content

Microsoft Releases Mitigations for YellowKey Windows Security Vulnerability

In brief: Microsoft has published security measures against the YellowKey vulnerability (CVE-2026-45585) that endangers BitLocker-protected hard drives. Recommended solutions include disabling autofstx.exe and switching to TPM+PIN encryption.

Microsoft has released protective measures against YellowKey, a recently disclosed Windows BitLocker security vulnerability that enables unauthorized access to protected hard drives and was revealed by an anonymous security researcher known as “Nightmare Eclipse”.

The security researcher “Nightmare Eclipse” disclosed the vulnerability last week along with a proof-of-concept exploit. YellowKey exploitation occurs by placing specially crafted “FsTx” files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell with unrestricted access to the BitLocker-protected storage volume by pressing the CTRL key.

The researcher had previously also disclosed the zero-day vulnerabilities BlueHammer (CVE-2026-33825) and RedSun, which are already being exploited by attackers. Additional leaked vulnerabilities include GreenPlasma, a privilege escalation vulnerability, and UnDefend, which allows attackers with standard user rights to block Microsoft Defender definition updates.

Microsoft is now tracking YellowKey under CVE-2026-45585 and has recommended mitigation measures. To prevent attacks, users should remove the autofstx.exe entry from the Session Manager’s BootExecute registry value and restore BitLocker trust for WinRE. Alternatively, it is recommended to switch BitLocker on already encrypted devices from “TPM only” to “TPM+PIN”, which requires PIN entry during startup.

Share on: