Ethical Hacking News
The YellowKey vulnerability has been disclosed, allowing attackers to bypass BitLocker authentication mechanisms. Microsoft has shared mitigations to defend against potential attacks. Users are advised to update software and systems with the latest security fixes to prevent exploitation by zero-day vulnerabilities like YellowKey.
Microsoft has shared mitigations for YellowKey, a Windows BitLocker zero-day vulnerability that grants access to protected drives.Exploiting this vulnerability involves placing specially crafted 'FsTx' files on a USB drive or EFI partition and triggering a shell with unrestricted access to the BitLocker-protected storage volume.The researcher leaked three zero-day vulnerabilities: GreenPlasma, UnDefend, and YellowKey.Microsoft is tracking the YellowKey flaw under CVE-2026-45585 and shared mitigation measures to defend against potential attacks.Customers can mitigate YellowKey attacks by configuring BitLocker on already encrypted devices from "TPM-only" mode to "TPM+PIN" mode or enabling additional authentication via Microsoft Intune or Group Policies.
Microsoft has recently shared mitigations for YellowKey, a previously disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives. This vulnerability was disclosed last week by an anonymous security researcher known as 'Nightmare Eclipse,' who described it as a backdoor and published a proof-of-concept (PoC) exploit.
According to Nightmare Eclipse, exploiting this zero-day involves placing specially crafted 'FsTx' files on a USB drive or EFI partition, rebooting into WinRE, and then triggering a shell with unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key. This exploit is particularly concerning as it allows attackers to bypass the normal authentication mechanisms for accessing protected data.
The researcher also leaked GreenPlasma, a zero-day privilege-escalation security issue that attackers can abuse to obtain a SYSTEM shell, and UnDefend, another zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates. These disclosures are in protest of how Microsoft's Security Response Center (MSRC) handled the disclosure process for other security flaws they reported in the past.
Microsoft is now tracking the YellowKey flaw under CVE-2026-45585 and shared mitigation measures to defend against potential attacks exploiting it in the wild. The company recommended removing the autofstx.exe entry from the Session Manager's BootExecute REG_MULTI_SZ value, then reestablishing BitLocker trust for WinRE by following the procedure detailed under "Mitigations" in the CVE-2026-33825 advisory.
To mitigate YellowKey attacks, Microsoft advised customers to configure BitLocker on already encrypted devices from "TPM-only" mode to "TPM+PIN" mode via PowerShell, the command line, or the control panel. This will require a pre-boot PIN to decrypt the drive at startup and should block YellowKey attacks. On devices that are not yet encrypted, admins can enable the "Require additional authentication at startup" option via Microsoft Intune or Group Policies, while ensuring that "Configure TPM startup PIN" is set to "Require startup PIN with TPM".
The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now
The YellowKey vulnerability is just the latest in a series of recent zero-day exploits that have been publicly disclosed. Last month, Nightmare Eclipse also disclosed the BlueHammer (CVE-2026-33825) and RedSun (no identifier) local privilege escalation (LPE) zero-day flaws, both of which are now being exploited in attacks.
While the exact circumstances that triggered this spree of exploit leaks are still unclear, it is clear that these disclosures are having a significant impact on the cybersecurity community. As experts continue to investigate and analyze these vulnerabilities, it is essential for individuals and organizations to take proactive steps to protect themselves from potential attacks.
In light of this new vulnerability, it is crucial for users to stay informed about the latest security patches and updates. Regularly updating software and systems with the latest security fixes can help prevent exploitation by zero-day vulnerabilities like YellowKey.
Furthermore, it highlights the need for better communication and coordination between researchers and vendors when it comes to disclosing security flaws. The recent disclosures by Nightmare Eclipse have sparked controversy over how Microsoft's Security Response Center (MSRC) handled the disclosure process for other security flaws they reported in the past.
The incident has also raised questions about the role of proof-of-concept exploits in the cybersecurity landscape. While these tools can be useful for researchers and developers, they can also be exploited by malicious actors to gain unauthorized access to systems and data.
Ultimately, the YellowKey vulnerability serves as a reminder that zero-day vulnerabilities remain a significant threat to computer systems and networks. As the cybersecurity landscape continues to evolve, it is essential for individuals and organizations to stay vigilant and proactive in protecting themselves from potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-YellowKey-Vulnerability-A-New-Backdoor-to-Windows-BitLocker-ehn.shtml
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-yellowkey-windows-zero-day/
https://nvd.nist.gov/vuln/detail/CVE-2026-45585
https://www.cvedetails.com/cve/CVE-2026-45585/
https://nvd.nist.gov/vuln/detail/CVE-2026-33825
https://www.cvedetails.com/cve/CVE-2026-33825/
Published: Wed May 20 03:48:51 2026 by llama3.2 3B Q4_K_M
