Microsoft Rolls Out Mitigations for 'YellowKey' BitLocker Bypass

Microsoft Rolls Out Mitigations for 'YellowKey' BitLocker Bypass

Briefly

"A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

"The issue, now tracked as CVE-2026-45585 (CVSS score of 6.8), can be triggered by an attacker with physical access to a system by using a USB drive containing the publicly released YellowKey exploit code and rebooting the system into recovery mode. Instead of serving the attacker the typical Windows Recovery Environment (WinRE), the exploit spawns a shell, offering access to the underlying partition's contents, no longer protected by BitLocker's encryption."

"In its advisory, the tech giant guides defenders through a multi-stage process that involves mounting the WinRe image on each device, mounting the system registry hive of the image, removing autofstx.exe from the mounted hive, mounting the updated image, and reestablishing BitLocker trust for WinRe."

"Microsoft on Tuesday rolled out mitigations for YellowKey, a recently disclosed zero-day vulnerability leading to BitLocker bypass. The mitigations rolled out by Microsoft, Tharros Labs senior principal vulnerability analyst Will Dormann says, effectively prevent the FsTx Auto Recovery utility (autofstx.exe) from automatically running during the WinRE image's initiation."