Skip to main content
Mallory
Back to vulnerabilities
Medium1 public exploit

YellowKey BitLocker WinRE Security Feature Bypass

CVE-2026-45585CWE-693

CVE-2026-45585, publicly referred to as YellowKey, is a Windows BitLocker security feature bypass affecting BitLocker-protected systems that rely on the Windows Recovery Environment (WinRE). Based on the provided content, the issue is rooted in WinRE behavior involving the FsTx Auto Recovery Utility (autofstx.exe), which automatically replays crafted NTFS transactional recovery data during recovery boot. An attacker with physical access can stage specially crafted FsTx files on removable media or in the EFI partition, boot or force the target into WinRE, and trigger replay that deletes winpeshl.ini. This causes WinRE to launch an unrestricted command shell instead of the normal restricted recovery interface. On TPM-only BitLocker configurations, the protected volume is already transparently unlocked by the TPM at that stage, allowing the attacker to interact with the decrypted system volume from the WinRE shell. The content indicates affected platforms include Windows 11 24H2, 25H2, and 26H1 on x64 systems and Windows Server 2025, with some reporting also referencing Windows Server 2022.

Share:
Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation allows an attacker with physical access to bypass BitLocker's intended protection of data at rest and gain access to data on the encrypted system volume without obtaining the user's BitLocker recovery key, password, or directly compromising the TPM. The practical impact is unauthorized offline access to sensitive files and system data from an unrestricted WinRE shell, undermining device theft and lost-device protections on TPM-only deployments. Because the attack occurs in WinRE before the normal operating system environment is active, conventional endpoint controls may have limited visibility or ability to prevent the bypass.

Mitigation

If you can’t patch tonight, do this now.

The provided content identifies two primary mitigations. First, modify or disable the vulnerable WinRE functionality by removing the automatic launch of autofstx.exe from the WinRE image; some reporting also notes that disabling WinRE entirely removes the published attack path, though this also disables recovery features. Second, move BitLocker deployments from TPM-only to TPM+PIN, which the content describes as the strongest currently available mitigation against the public YellowKey technique because the volume will not auto-unlock without user-supplied PIN input. Additional defensive measures mentioned in the content include strengthening physical security for devices and monitoring for suspicious System Volume Information\FsTx artifacts on removable media or EFI partitions.

Remediation

Patch, then assume compromise.

According to the provided content, Microsoft had not yet released a security patch at the time of publication and instead issued manual remediation guidance. The documented remediation is to mount the WinRE image on each affected device, load the mounted WinRE registry hive, remove the autofstx.exe entry from the Session Manager BootExecute REG_MULTI_SZ value, unload and commit the modified WinRE image, and then re-establish BitLocker trust for WinRE, for example by disabling and re-enabling WinRE as described in the vendor guidance. Organizations should also apply the eventual Microsoft security update once it becomes available.
PUBLIC EXPLOITS

Exploits

No valid public exploits — Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView all

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindowsoperating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Server 2025operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

49 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

49 SOURCESView all
eclypsium blogNews
May 20, 2026
YellowKey: The Unpatched BitLocker Bypass Hidden in Windows Recovery - Eclypsium | Supply Chain Security for the Modern Enterprise

A Windows Recovery Environment (WinRE) BitLocker bypass that abuses NTFS transaction log replay via System Volume Information\FsTx to delete winpeshl.ini and obtain a command shell after TPM-based transparent unlock, enabling access to BitLocker-protected drives with physical access.

Read more
security affairsNews
May 20, 2026
Microsoft issues YellowKey mitigation, no patch yet

A BitLocker security feature bypass in Windows that allows an attacker with physical access to gain a shell with access to a BitLocker-protected volume by abusing the WinRE FsTx Auto Recovery Utility (autofstx.exe).

Read more
cyber security newsNews
May 20, 2026
Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability

A Windows BitLocker security feature bypass vulnerability in WinRE that can allow an attacker with physical access to bypass BitLocker device encryption and access encrypted data without user credentials or decryption keys.

Read more
the hacker newsNews
May 20, 2026
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

A BitLocker security feature bypass vulnerability in Windows that can allow an attacker with physical access to bypass BitLocker device encryption protections and access encrypted data.

Read more
help net securityNews
May 20, 2026
Microsoft provides mitigation for "YellowKey" BitLocker bypass flaw (CVE-2026-45585) - Help Net Security

A BitLocker security feature bypass vulnerability in Windows that allows attackers with physical access to bypass BitLocker protections and access data. The issue is described as affecting the recovery environment around BitLocker rather than the encryption itself.

Read more
reddit netsecNews
May 20, 2026
CVE-2026-45585: Windows BitLocker - YellowKey Recovery Bypass Analysis : r/netsec

A reported zero-day bypass of Windows BitLocker that abuses the Windows Recovery Environment and crafted FsTx recovery files on a USB stick to gain a SYSTEM shell and full volume access without password cracking or a TPM exploit.

Read more
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity43

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
NVD
nvd.nist.gov/vuln/detail/CVE-2026-45585
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585
Third Party Advisory
github.com/Nightmare-Eclipse/YellowKey