– Do not rely on this as a patch; apply the interim mitigation now and monitor for a full security update.
– Disable autofstx.exe in WinRE by mounting the WinRE image, loading the system registry hive, and removing autofstx.exe from BootExecute; also consider TPM+PIN for high-risk devices.
– Affected: Windows 11 24H2/25H2/26H1 (x64) and Windows Server 2025/Server Core; Windows 10 is not affected; Windows Server 2022 may be affected under certain conditions.
Overview of the Mitigation Guidance for YellowKey
Microsoft has rolled out mitigation guidance for YellowKey, the publicly disclosed BitLocker bypass now tracked as CVE-2026-45585, after a working proof of concept was published without coordinated disclosure. No full security update is available yet. The company confirmed it is working on a permanent fix and is urging administrators across affected Windows versions to apply the interim steps immediately.
Exploit Details and Immediate Risk
The exploit operates by deleting winpeshl.ini via Transactional NTFS (TxF), which prompts the WinRE recovery environment to spawn an unrestricted shell instead of loading the standard recovery interface. From there, an attacker with physical access gains full, unencrypted visibility into the drive’s contents, requiring no credentials, software installation, or network connection.
Microsoft’s Interim Mitigation Steps
Microsoft’s mitigation addresses the issue by disabling autofstx.exe, the FsTx Auto Recovery Utility, within the WinRE image. Administrators must mount the WinRE image on each affected device, load the system registry hive, and remove the autofstx.exe entry from the Session Manager’s BootExecute value. Microsoft also recommends moving high-risk devices from TPM-only BitLocker to TPM+PIN mode, which makes physical exploitation much more difficult.
Workaround vs Patch Status
This is a workaround, not a patch. Microsoft has not confirmed when a full update will arrive. Until it does, any machine running an affected Windows version with a USB port and the ability to reboot into recovery mode is a viable target for anyone holding the publicly available exploit code.
Hazard Scoring and Affected Platforms
CVE-2026-45585 carries a CVSS score of 6.8 and requires physical access, but Microsoft rates exploitation as “More Likely” given that the proof of concept is already public. Microsoft’s advisory focuses on Windows 11 24H2, 25H2, and 26H1 on x64 systems, along with Windows Server 2025 and Windows Server 2025 Server Core. Windows 10 does not experience issues because of differences in its WinRE configuration. Public technical analyses also flag Windows Server 2022 as potentially vulnerable under specific deployment conditions via the same WinRE recovery path flaw, though Microsoft has not yet addressed it formally in its advisory.
Developer and Researcher Context
The researcher behind the exploit, known as Nightmare-Eclipse, released it publicly before Microsoft had issued any guidance. Microsoft called the incident a violation of coordinated vulnerability disclosure practices.
Leave a Reply