BitLocker Bypass (CVE‑2026‑45585 “YellowKey”) Exploited in the Wild, Microsoft Issues Mitigation Only
What It Is – A physical‑access vulnerability in the Windows Recovery Environment (WinRE) that lets an attacker bypass BitLocker encryption and obtain a full shell on the protected volume. The flaw resides in the autofstx.exe component and is tracked as CVE‑2026‑45585 (CVSS 6.8).
Exploitability – Public proof‑of‑concept code was released by researcher “Chaotic Eclipse,” violating coordinated‑disclosure norms. Exploits require hands‑on access (USB or direct EFI partition write) but work reliably on affected builds. No public exploit‑as‑a‑service is known, but the PoC is functional and reproducible.
Affected Products – Windows 11 24H2, 25H2, 26H1 (x64) and Windows Server 2025 (both Standard and Server Core). The vulnerability is limited to the WinRE image and the autofstx.exe auto‑recovery utility.
TPRM Impact – Organizations that rely on BitLocker for data‑at‑rest protection face a direct route to decrypting sensitive files if an adversary can obtain physical access to an endpoint. The lack of an official patch forces rapid, manual remediation across the supply chain, increasing operational risk and potential compliance gaps (e.g., GDPR, HIPAA).
Recommended Actions –
- Deploy Microsoft’s mitigation immediately: mount the WinRE image, edit the
BootExecuteregistry value to removeautofstx.exe, and re‑establish BitLocker trust. - Enforce TPM + PIN (or TPM + startup key) for all BitLocker‑protected devices.
- Disable USB boot or enforce strict boot‑policy controls to limit unauthenticated media insertion.
- Inventory all Windows 11/Server 2025 assets and verify remediation status through automated scripting.
- Monitor Microsoft security advisories for a forthcoming patch and adjust controls accordingly.
Source: Security Affairs – Microsoft issues YellowKey mitigation, no patch yet