Microsoft addresses a critical BitLocker bypass vulnerability that allows attackers with physical access to gain unrestricted access to encrypted data through specially crafted USB drives.
Microsoft has released a mitigation for a concerning BitLocker security feature bypass vulnerability named YellowKey, which was publicly disclosed last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8 and impacts multiple Windows versions, potentially exposing encrypted data to attackers with physical access.
Understanding the YellowKey Vulnerability
"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'" the company stated in its advisory. "The proof of concept for this vulnerability has been been made public, violating coordinated vulnerability best practices."
The vulnerability was disclosed by security researcher Chaotic Eclipse (aka Nightmare-Eclipse), who detailed how placing specially crafted 'FsTx' files on a USB drive or EFI partition could bypass BitLocker protections. The attack sequence involves:
- Placing the specially crafted files on a USB drive
- Connecting the USB drive to a target Windows system with BitLocker enabled
- Rebooting into the Windows Recovery Environment (WinRE)
- Holding down the CTRL key to trigger an unrestricted shell
"If you did everything properly, a shell will spawn with unrestricted access to the BitLocker protected volume," the researcher noted in their GitHub post.
Affected Systems
The vulnerability impacts several Windows versions:
- Windows 11 version 26H1 for x64-based Systems
- Windows 11 Version 24H2 for x64-based Systems
- Windows 11 Version 25H2 for x64-based Systems
- Windows Server 2025
- Windows Server 2025 (Server Core installation)
Attack Vector and Impact
Successful exploitation allows an attacker with physical access to sidestep the BitLocker Device Encryption feature on the system storage device and gain access to encrypted data.
"To break encryption, YellowKey abuses a behavioral trust assumption in the recovery interface, allowing attackers to spawn an unrestricted shell with full access to the encrypted volume during the pre-boot recovery sequence," explained LevelBlue security researchers. "And because YellowKey doesn't require software installation, existing credentials, or network access to break encryption, any machine that has a USB port and can be rebooted can be a target."
Microsoft's Mitigation Approach
Microsoft has provided specific steps to address the risk:
- Mount the WinRE image on each device
- Mount the system registry hive of the mounted WinRE image
- Modify BootExecute by removing "autofstx.exe" value from Session Manager's BootExecute REG_MULTI_SZ value
- Save and unload Registry hive
- Unmount and commit the updated WinRE image
- Reestablish BitLocker trust for WinRE
"Specifically, you prevent the FsTx Auto Recovery Utility, autofstx.exe, from automatically starting when the WinRE image launches," security researcher Will Dormann clarified. "With this change, the Transactional NTFS replaying that deletes winpeshl.ini no longer happens."
Additional Recommendations
Microsoft also emphasized that users can be safeguarded against exploitation by configuring BitLocker on already encrypted devices with "TPM-only" protector by switching to "TPM+PIN" mode via PowerShell, the command line, or the control panel. This will require a PIN to decrypt the drive at startup, effectively blocking YellowKey attacks.
For devices that are not encrypted, administrators are advised to:
- Enable the "Require additional authentication at startup" option via Microsoft Intune or Group Policies
- Ensure that "Configure TPM startup PIN" is set to "Require startup PIN with TPM"
Industry Response
The vulnerability has drawn significant attention from the security community due to its practical nature and the potential for widespread exploitation. The fact that it requires only physical access and doesn't need software installation or existing credentials makes it particularly concerning for organizations with laptop deployments or shared computing environments.
Security experts recommend that organizations prioritize implementing the mitigations, especially for systems that handle sensitive data or are used in public or shared environments. The TPM+PIN approach is being highlighted as the most effective protection against this specific vulnerability.
For organizations with large deployments, Microsoft's official advisory provides detailed guidance on implementing the mitigations through enterprise management tools.
Conclusion
The YellowKey vulnerability serves as a reminder that even robust encryption solutions like BitLocker can have vulnerabilities when certain assumptions are made about the security environment. As attackers continue to find creative ways to bypass security measures, organizations must stay vigilant and implement layered security approaches that don't rely solely on encryption.
The prompt release of a mitigation by Microsoft is commendable, but organizations should treat this as an opportunity to review their overall encryption strategies and access controls, particularly for systems that may be exposed to physical threats.
Comments
Please log in or register to join the discussion