Microsoft Shares Mitigation for YellowKey Windows Zero‑Day

May 20, 2026 Faeem BLOGS, MICROSOFT 0

Overview Microsoft has published mitigation guidance for YellowKey, a newly disclosed Windows BitLocker zero‑day vulnerability that allows attackers to gain access to encrypted drives. The flaw, now tracked as CVE‑2026‑45585, was revealed by an independent researcher known as Nightmare Eclipse, who described it as a backdoor and released a proof‑of‑concept exploit.

What Is YellowKey?

The exploit involves placing specially crafted FsTx files on a USB drive or EFI partition, rebooting into Windows Recovery Environment (WinRE), and triggering a shell with unrestricted access to BitLocker‑protected volumes by holding down the CTRL key.

This vulnerability effectively bypasses BitLocker’s encryption layer, granting attackers direct access to protected data. It joins a series of recent zero‑days disclosed by the same researcher, including BlueHammer (CVE‑2026‑33825), RedSun, GreenPlasma, and UnDefend, all targeting Windows privilege escalation and security bypass mechanisms.

Microsoft’s Mitigation Guidance

Microsoft’s advisory outlines several steps to reduce exposure until a full patch is released:

  • Remove autofstx.exe from BootExecute Delete the autofstx.exe entry from the Session Manager’s BootExecute REG_MULTI_SZ value to prevent the FsTx Auto Recovery Utility from launching automatically in WinRE.
  • Reestablish BitLocker trust for WinRE Follow the procedure detailed under the CVE‑2026‑33825 advisory to restore secure BitLocker operations.
  • Configure BitLocker to TPM + PIN mode Switch from “TPM‑only” to “TPM + PIN” authentication via PowerShell, command line, or Control Panel. This adds a pre‑boot PIN requirement, blocking unauthorized decryption attempts.
  • Enable additional authentication at startup For unencrypted devices, enforce this policy through Microsoft Intune or Group Policy, ensuring “Configure TPM startup PIN” is set to “Require startup PIN with TPM.”

Technical Insight

Security analysts note that disabling autofstx.exe prevents Transactional NTFS replaying, which previously deleted winpeshl.ini and enabled the exploit chain. By halting this process, attackers can no longer trigger the unauthorized shell during WinRE boot.

Defensive Recommendations

To further harden systems against exploitation:

  • Enable tamper protection to prevent modification of security settings.
  • Monitor registry changes related to BootExecute entries.
  • Audit BitLocker configurations across enterprise endpoints.
  • Deploy Defender SmartScreen to block malicious downloads and scripts.

Strategic Impact

Microsoft’s rapid response to YellowKey demonstrates the importance of coordinated vulnerability disclosure. While the exploit’s publication violated best practices, the company’s mitigation steps help organizations protect sensitive data until a permanent fix is available.

The incident also underscores the critical role of BitLocker configuration in enterprise security — TPM‑only setups, while convenient, can expose systems to physical or boot‑level attacks.

Final Thoughts

The YellowKey zero‑day highlights how attackers continue to exploit low‑level recovery environments to bypass encryption. Enterprises should treat BitLocker configuration as a frontline defense, ensuring multi‑factor pre‑boot authentication and strict WinRE controls are enforced.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.