Find notable cyber news and cases, enriched with sources, timelines, and signals.

Windows 11 BitLocker bypass YellowKey security flaw

Vulnerability
First reported
Last updated
Happening score
H score 7
3 unique sources, 5 articles

Summary

Hide ▲

YellowKey is a Windows BitLocker security feature bypass tracked as CVE-2026-45585 that affects the Windows Recovery Environment (WinRE) path and can expose BitLocker-protected drives on Windows 11 and Windows Server 2022/2025 systems. Microsoft has issued mitigation guidance after the proof of concept was made public, including removing autofstx.exe from the BootExecute registry value and moving already encrypted devices from TPM-only to TPM+PIN. The disclosed technique uses crafted FsTx files on a USB drive or EFI partition to reach a shell with unrestricted access to the protected storage volume.

Related Happenings

Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave

Exploitation Wave
H score41 First: 30.06.2026 11:53 Last: 30.06.2026 11:53 Sources 1

About this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...

Microsoft BitLocker recovery prompt workaround

Advisory/Mitigation
H score25 First: 09.06.2026 21:35 Last: 09.06.2026 21:35 Sources 1

About this happening: Microsoft issued a **temporary workaround** for **BitLocker recovery prompts** on some **Windows** systems after recent updates. The issue affects devices configured with a **BitL...

Microsoft CVD response for Windows Defender and BitLocker

Advisory/Mitigation
H score47 First: 28.05.2026 16:53 Last: 28.05.2026 16:53 Sources 1

How related: In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.

About this happening: **Microsoft** is urging **Coordinated Vulnerability Disclosure (CVD)** and says it is developing **security updates** for **Windows components including Defender and BitLocker** a...

Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)

Vulnerability
H score9 First: 20.05.2026 11:28 Last: 20.05.2026 11:28 Sources 1

About this happening: CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue...

Latest development: 11.06.2026 20:43

Security researcher Chaotic Eclipse released GreatXML, a Windows BitLocker bypass that copies unattend.xml and Recovery/WindowsRE/ReAgent.xml onto the recovery partition and then boots into Windows Recovery Environment (WinRE) to spawn a shell with unrestricted access to the BitLocker volume. The researcher said the flaw could automatically affect systems that ever used Windows Defender Offline Scan, and the release followed YellowKey (CVE-2026-45585), which Microsoft patched in Patch Tuesday updates.

Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)

Advisory/Mitigation
H score32 First: 20.05.2026 10:31 Last: 20.05.2026 10:31 Sources 1

How related: "We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available."

About this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...

Latest development: 10.06.2026 12:57

On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.

Timeline

  1. 20.05.2026 10:31 3 articles · 1mo ago

    Microsoft shares YellowKey mitigation guidance

    Mitigation Patch Update

    Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.

    Show sources
  2. 14.05.2026 10:27 1 articles · 1mo ago

    Chaotic Eclipse publicly discloses YellowKey and GreenPlasma

    Initial Disclosure

    Chaotic Eclipse and Nightmare Eclipse publicly release proof-of-concept code for YellowKey, a Windows 11 BitLocker bypass that can expose the protected storage volume, and GreenPlasma, a separate Windows zero-day that can elevate privileges to System.

    Show sources
  3. 14.05.2026 10:27 3 articles · 1mo ago

    Researchers validate YellowKey on recent Windows 11 builds

    Technical Analysis Update

    Independent testers including Kevin Beaumont, KevTheHermit, Will Dormann, and JaGoTu confirm YellowKey works against recent Windows 11 builds, and TPM PIN-protected devices may also be affected depending on the WinRE implementation. The exploit path can begin with a USB drive or EFI partition and then use Windows Recovery Environment (WinRE) to reach a command prompt that exposes the protected volume.

    Show sources