HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

BitLocker Bypass (CVE‑2026‑45585 “YellowKey”) Exploited in the Wild, Microsoft Issues Mitigation Only

A physical‑access flaw in Windows 11 and Server 2025 allows attackers to bypass BitLocker encryption by abusing the autofstx.exe component. Microsoft has released a manual mitigation but no patch, creating urgent TPRM concerns for any organization that relies on BitLocker for data‑at‑rest protection.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

BitLocker Bypass (CVE‑2026‑45585 “YellowKey”) Exploited in the Wild, Microsoft Issues Mitigation Only

What It Is – A physical‑access vulnerability in the Windows Recovery Environment (WinRE) that lets an attacker bypass BitLocker encryption and obtain a full shell on the protected volume. The flaw resides in the autofstx.exe component and is tracked as CVE‑2026‑45585 (CVSS 6.8).

Exploitability – Public proof‑of‑concept code was released by researcher “Chaotic Eclipse,” violating coordinated‑disclosure norms. Exploits require hands‑on access (USB or direct EFI partition write) but work reliably on affected builds. No public exploit‑as‑a‑service is known, but the PoC is functional and reproducible.

Affected Products – Windows 11 24H2, 25H2, 26H1 (x64) and Windows Server 2025 (both Standard and Server Core). The vulnerability is limited to the WinRE image and the autofstx.exe auto‑recovery utility.

TPRM Impact – Organizations that rely on BitLocker for data‑at‑rest protection face a direct route to decrypting sensitive files if an adversary can obtain physical access to an endpoint. The lack of an official patch forces rapid, manual remediation across the supply chain, increasing operational risk and potential compliance gaps (e.g., GDPR, HIPAA).

Recommended Actions

  • Deploy Microsoft’s mitigation immediately: mount the WinRE image, edit the BootExecute registry value to remove autofstx.exe, and re‑establish BitLocker trust.
  • Enforce TPM + PIN (or TPM + startup key) for all BitLocker‑protected devices.
  • Disable USB boot or enforce strict boot‑policy controls to limit unauthenticated media insertion.
  • Inventory all Windows 11/Server 2025 assets and verify remediation status through automated scripting.
  • Monitor Microsoft security advisories for a forthcoming patch and adjust controls accordingly.

Source: Security Affairs – Microsoft issues YellowKey mitigation, no patch yet

📰 Original Source
https://securityaffairs.com/192449/hacking/microsoft-issues-yellowkey-mitigation-no-patch-yet.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →