Zero‑Day BitLocker Bypass (YellowKey CVE‑2026‑45585) Threatens Encrypted Windows Drives
What Happened – A researcher (Nightmare Eclipse) disclosed a Windows BitLocker bypass vulnerability, dubbed YellowKey (CVE‑2026‑45585). The flaw lets an attacker place a crafted FsTx file on a USB or EFI partition, reboot into WinRE, and obtain unrestricted access to BitLocker‑protected volumes by holding CTRL. Microsoft published mitigation steps while a security update is in development.
Why It Matters for TPRM –
- Critical data protection controls (BitLocker) can be subverted, exposing confidential information.
- The exploit is publicly available, raising the likelihood of opportunistic attacks on any Windows fleet.
- Third‑party vendors and service providers that rely on Windows encryption inherit the same risk.
Who Is Affected – Enterprises across all sectors that deploy Windows 10/11 devices with BitLocker enabled, especially those using TPM‑only mode.
Recommended Actions –
- Apply Microsoft’s interim mitigations immediately (remove
autofstx.exefromBootExecute, re‑establish BitLocker trust, switch to TPM + PIN). - Prioritize deployment of the forthcoming security patch once released.
- Review encryption policies and verify that pre‑boot authentication is enforced on all managed endpoints.
Technical Notes – The attack leverages a security‑feature bypass (crafted FsTx files) executed in WinRE, bypassing BitLocker’s TPM‑only protection. No CVE identifier existed before Microsoft’s advisory; the vulnerability is classified as a zero‑day. Source: BleepingComputer