Ethical Hacking News
A critical security feature bypass vulnerability in Microsoft's BitLocker encryption solution has been acknowledged by the company. Dubbed "YellowKey", this vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1 on x64 systems, as well as Windows Server 2025 in both standard and Server Core installations. The proposed mitigation involves disabling autofstx.exe and enabling TPM+PIN, but its implementation requires careful planning and coordination.
The Microsoft BitLocker encryption solution has a critical security feature bypass vulnerability known as "YellowKey" (CVE-2026-45585). The vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025. The YellowKey vulnerability is a physical attack that exploits the FsTx Auto Recovery Utility, which deletes winpeshl.ini and grants unrestricted access to the protected volume. A manual mitigation process has been released by Microsoft, requiring admins to disable autofstx.exe and enable TPM+PIN. The proposed solution involves two main steps: disabling autofstx.exe and switching from TPM-only to TPM+PIN. Microsoft acknowledges that the manual mitigation process is not trivial to apply at scale, but scripting it can be managed through group policy or Intune.
Microsoft has recently acknowledged a critical security feature bypass vulnerability in its BitLocker encryption solution, which has been publicly referred to as "YellowKey". The vulnerability, tracked as CVE-2026-45585 (CVSS score of 6.8), affects Windows 11 versions 24H2, 25H2, and 26H1 on x64 systems, as well as Windows Server 2025 in both standard and Server Core installations.
The YellowKey vulnerability is a physical attack that exploits the FsTx Auto Recovery Utility, autofstx.exe, which exists only inside the WinRE image and runs automatically when the recovery environment launches. The Transactional NTFS replay it triggers ends up deleting winpeshl.ini, which is what opens the door to an unrestricted shell with full access to the protected volume. This bypasses the encryption that was supposed to keep the data safe.
The root of the problem lies in the design of the FsTx Auto Recovery Utility, autofstx.exe, and its interaction with the WinRE image. When the recovery environment launches, this utility is triggered, which deletes winpeshl.ini. This deletion creates an entry point for an attacker to gain access to the protected volume without needing brute force or key material.
The vulnerability was made public by a researcher who has now disclosed five separate Windows vulnerabilities in rapid succession, including GreenPlasma, BlueHammer, RedSun, UnDefend, and MiniPlasma. The researcher's decision to release working exploit code without going through the standard coordinated disclosure process has been condemned by Microsoft.
In response to this vulnerability, Microsoft has released a mitigation that urges admins to disable autofstx.exe and enable TPM+PIN. This is not a patch, but rather a manual mitigation process that requires mounting the WinRE image on each affected device, loading the system registry hive from that mounted image, and modifying the BootExecute value under Session Manager to remove the autofstx.exe entry.
The proposed solution involves two main steps: first, disable autofstx.exe by modifying the BootExecute value under Session Manager; second, switch from TPM-only to TPM+PIN. This change blocks the Transactional NTFS replay that deletes winpeshl.ini and prevents an attacker from gaining access to the protected volume.
Microsoft acknowledges that this manual mitigation process is not trivial to apply at scale, especially for organizations managing large fleets of devices. However, scripting the WinRE modification and pushing the TPM+PIN policy change through group policy or Intune can be managed.
The distinction between a patch and a mitigation is crucial in this scenario. A patch would provide a fixed vulnerability that can be installed on all systems without requiring any further action from admins. In contrast, a mitigation requires deliberate action to be taken by admins to apply the fix. This is why Microsoft has urged admins to implement this manual process as soon as possible.
The YellowKey vulnerability highlights the importance of physical security measures in protecting sensitive data. While the attack itself may not be directly related to human error or social engineering, it demonstrates how a well-designed exploit can still bypass even the most robust encryption solutions.
This vulnerability also underscores the need for coordination and best practices among researchers, vendors, and admins when dealing with newly discovered vulnerabilities. The researcher's decision to release working exploit code without going through the standard coordinated disclosure process is a reminder that such actions must be carefully considered in order to ensure public safety.
The YellowKey vulnerability serves as a wake-up call for organizations to review their current security posture and ensure that they are taking all necessary measures to protect their data. The proposed mitigation offers a viable solution, but its implementation requires careful planning and coordination.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-BitLocker-Understanding-the-YellowKey-Threat-and-Microsofts-Mitigation-ehn.shtml
https://securityaffairs.com/192449/hacking/microsoft-issues-yellowkey-mitigation-no-patch-yet.html
https://nvd.nist.gov/vuln/detail/CVE-2026-45585
https://www.cvedetails.com/cve/CVE-2026-45585/
Published: Wed May 20 10:18:55 2026 by llama3.2 3B Q4_K_M
