Particle.news
Get it on Google Play
Download on the App Store
8 ARTICLES
·
5d ago

Microsoft Issues Mitigations for YellowKey BitLocker Bypass

The company published WinRE image and BitLocker configuration steps to block the publicly released exploit until a formal security update is available.

Windows 11 displayed on a laptop, keyboard and pen resting on the keyboard. Overlaid on top of this image is a photo illustration of a hacker, code pouring out from beneath the brim of their hood.
Image
Image

Overview

  • Microsoft began tracking the flaw as CVE-2026-45585 and published mitigation guidance after a researcher publicly released a proof-of-concept for the YellowKey exploit, which surfaced in mid-May.
  • The exploit uses specially crafted FsTx files and the WinRE-only utility autofstx.exe to trigger a Transactional NTFS replay that deletes winpeshl.ini and yields an unlocked command shell against BitLocker-protected volumes.
  • Microsoft’s recommended fixes are to remove the autofstx.exe entry from the WinRE image’s Session Manager BootExecute value and to convert devices from TPM-only BitLocker to TPM+PIN to require a pre-boot PIN.
  • YellowKey requires physical access (for example a USB or EFI payload) and affects Windows 11 (x64 24H2, 25H2, 26H1) and Windows Server 2025 builds, so administrators must weigh the risk to laptops and unattended devices.
  • A disputed claim from the researcher that a variant can bypass TPM+PIN remains unproven, and the public PoC plus non-trivial remediation steps mean teams should harden physical controls and apply Microsoft’s mitigations until a patch is released.