BitLocker bypass technique YellowKey leveraging FsTx files disclosed with mitigation available
Summary
Hide ▲
Show ▼
A bypass technique dubbed YellowKey for Microsoft BitLocker Device Encryption was publicly disclosed, enabling attackers with physical access to bypass encryption on certain Windows systems. The technique abuses a Windows Recovery Environment (WinRE) behavior via specially crafted FsTx files on USB or EFI partitions, allowing unauthenticated shell access when triggering WinRE with the CTRL key. Microsoft issued mitigations and recommends switching from TPM-only to TPM+PIN protectors to neutralize the bypass.
Timeline
-
20.05.2026 11:28 1 articles · 11h ago
Mitigation for YellowKey BitLocker bypass technique released with TPM+PIN recommendation
Microsoft released mitigations for the YellowKey BitLocker bypass technique (CVE-2026-45585) impacting Windows 11 24H2/25H2/26H1 and Windows Server 2025. The mitigation disables autofstx.exe in BootExecute within WinRE to prevent the FsTx Auto Recovery Utility from executing, and Microsoft advises switching from TPM-only to TPM+PIN protectors. The bypass allows attackers with physical access to gain unauthenticated shell access and access encrypted data by inserting a USB drive with an FsTx file and triggering WinRE with the CTRL key.
Show sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
Information Snippets
-
YellowKey targets Windows 11 versions 26H1, 24H2, 25H2 (x64), Windows Server 2025, and Windows Server 2025 (Server Core).
First reported: 20.05.2026 11:281 source, 1 articleShow sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
-
CVE-2026-45585 has a CVSS score of 6.8 and is described as a security feature bypass in BitLocker Device Encryption.
First reported: 20.05.2026 11:281 source, 1 articleShow sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
-
Exploitation requires physical access to insert a USB drive with an FsTx file and reboot into WinRE, then hold CTRL to trigger an unrestricted shell.
First reported: 20.05.2026 11:281 source, 1 articleShow sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
-
Successful exploitation permits bypassing BitLocker Device Encryption protections and accessing encrypted data on the system storage device.
First reported: 20.05.2026 11:281 source, 1 articleShow sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
-
Microsoft’s mitigation involves disabling autofstx.exe in BootExecute within WinRE, preventing the FsTx Auto Recovery Utility from launching.
First reported: 20.05.2026 11:281 source, 1 articleShow sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28
-
Microsoft recommends switching BitLocker protector from TPM-only to TPM+PIN to mitigate YellowKey exploitation.
First reported: 20.05.2026 11:281 source, 1 articleShow sources
- Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit — thehackernews.com — 20.05.2026 11:28