HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical ThreatIntel

Zero-Day BitLocker Bypass (YellowKey CVE‑2026‑45585) Threatens Encrypted Windows Drives

A publicly disclosed zero‑day (CVE‑2026‑45585) allows attackers to bypass BitLocker encryption on Windows devices by exploiting a crafted FsTx file in WinRE. Microsoft has issued mitigation guidance while a full patch is in development, making immediate remediation essential for any organization relying on BitLocker.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Zero‑Day BitLocker Bypass (YellowKey CVE‑2026‑45585) Threatens Encrypted Windows Drives

What Happened – A researcher (Nightmare Eclipse) disclosed a Windows BitLocker bypass vulnerability, dubbed YellowKey (CVE‑2026‑45585). The flaw lets an attacker place a crafted FsTx file on a USB or EFI partition, reboot into WinRE, and obtain unrestricted access to BitLocker‑protected volumes by holding CTRL. Microsoft published mitigation steps while a security update is in development.

Why It Matters for TPRM

  • Critical data protection controls (BitLocker) can be subverted, exposing confidential information.
  • The exploit is publicly available, raising the likelihood of opportunistic attacks on any Windows fleet.
  • Third‑party vendors and service providers that rely on Windows encryption inherit the same risk.

Who Is Affected – Enterprises across all sectors that deploy Windows 10/11 devices with BitLocker enabled, especially those using TPM‑only mode.

Recommended Actions

  • Apply Microsoft’s interim mitigations immediately (remove autofstx.exe from BootExecute, re‑establish BitLocker trust, switch to TPM + PIN).
  • Prioritize deployment of the forthcoming security patch once released.
  • Review encryption policies and verify that pre‑boot authentication is enforced on all managed endpoints.

Technical Notes – The attack leverages a security‑feature bypass (crafted FsTx files) executed in WinRE, bypassing BitLocker’s TPM‑only protection. No CVE identifier existed before Microsoft’s advisory; the vulnerability is classified as a zero‑day. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-yellowkey-windows-zero-day/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →