YellowKey Zero-Day Lets Attackers Bypass BitLocker Encryption on Windows Systems

A newly disclosed Windows BitLocker zero-day called YellowKey allows attackers to access encrypted drives through WinRE abuse, prompting Microsoft to release urgent mitigation guidance before a full security patch arrives.

Microsoft Responds to YellowKey Disclosure

Microsoft has published mitigation guidance for YellowKey, a newly disclosed Windows zero-day vulnerability that targets BitLocker-encrypted devices.

The flaw allows attackers to access protected drives by abusing the Windows Recovery Environment, also known as WinRE. Security researcher Nightmare Eclipse publicly released technical details and proof-of-concept exploit code last week.

According to the disclosure, attackers can place specially crafted FsTx files on a USB device or EFI partition. After rebooting the target into WinRE, attackers can trigger an unrestricted shell by holding the CTRL key. This process provides direct access to BitLocker-protected storage volumes.

Microsoft now tracks the vulnerability as CVE-2026-45585.

Public Exploit Raises Enterprise Concerns

The public release of exploit code has raised concerns across enterprise security teams. Threat actors often weaponize public proof-of-concept exploits quickly. Therefore, organizations using default BitLocker settings may face increased risk.

Nightmare Eclipse also disclosed several other Windows security flaws in recent months. These include BlueHammer, GreenPlasma, RedSun, and UnDefend. Some of those vulnerabilities reportedly entered active attacks shortly after disclosure.

The researcher claims these disclosures protest how Microsoft previously handled vulnerability reports through the Microsoft Security Response Center.

Microsoft’s Recommended Mitigations

Microsoft advised administrators to disable the automatic launch of autofstx.exe within WinRE. To do this, security teams must remove the autofstx.exe entry from the Session Manager BootExecute REG_MULTI_SZ registry value.

After applying this change, administrators should rebuild BitLocker trust for WinRE. Microsoft previously documented this process during guidance for CVE-2026-33825.

Security researchers explained that this mitigation blocks the FsTx Auto Recovery Utility from starting automatically. As a result, attackers can no longer abuse Transactional NTFS replay actions during recovery operations.

TPM+PIN Configuration Becomes Critical

Microsoft also recommends moving away from TPM-only BitLocker deployments. Instead, organizations should enable TPM+PIN authentication.

This setup forces users to enter a startup PIN before the system decrypts the drive. Consequently, attackers cannot rely only on physical access or recovery manipulation techniques.

For newly encrypted devices, administrators can enable the “Require additional authentication at startup” setting through Group Policy or Microsoft Intune. Microsoft also recommends configuring the “Configure TPM startup PIN” policy to require PIN usage alongside TPM protection.

Why YellowKey Matters

YellowKey highlights a growing security issue around recovery environment abuse. Although BitLocker remains a trusted encryption technology, attackers continue searching for weaknesses outside the normal operating system environment.

Many organizations focus heavily on endpoint protection and identity security. However, recovery partitions and pre-boot environments often receive less attention.

This incident reminds CISOs and security leaders that encryption alone cannot stop every attack path. Strong startup authentication, recovery hardening, and layered security controls remain essential for protecting enterprise systems.

Until Microsoft releases a permanent patch, organizations should prioritize these mitigations across critical devices and high-value endpoints.