Microsoft has released mitigation guidance for a newly disclosed BitLocker bypass vulnerability known as YellowKey. The flaw, tracked as CVE-2026-45585, is a security feature bypass issue that could allow attackers with physical access to a device to access encrypted data.
YellowKey affects several Windows versions, including Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. The vulnerability became more urgent after a public proof-of-concept exploit was released, increasing the risk of real-world abuse.
The attack works by abusing behavior in the Windows Recovery Environment. A specially crafted file can be placed on a USB drive or EFI partition. If the attacker has physical access to the target machine and can reboot it into recovery mode, they may trigger an unrestricted shell that provides access to the BitLocker-protected volume.
This makes YellowKey dangerous because it does not require stolen credentials, malware installation, or network access. Any vulnerable device with a USB port and the ability to reboot could potentially be targeted if an attacker has physical control.
Microsoft’s mitigation focuses on preventing the FsTx Auto Recovery Utility from automatically starting inside the recovery environment. Administrators are advised to update the WinRE image, modify the relevant registry value, commit the changes, and reestablish BitLocker trust for WinRE.
Microsoft also recommends moving from TPM-only BitLocker protection to TPM+PIN. This adds an extra startup PIN requirement before the drive can be decrypted, reducing the risk of physical bypass attacks like YellowKey.
For organizations, this incident is a reminder that encryption security depends not only on strong cryptography but also on boot process protections, recovery environments, and physical access controls.
Cybersecurity companies like IntelligenceX help organizations reduce these risks through endpoint security reviews, encryption policy assessment, vulnerability monitoring, and hardening guidance.
Security teams should prioritize affected Windows devices, apply Microsoft’s mitigation, enforce TPM+PIN where possible, and review physical security controls for laptops, workstations, and servers.
Top comments (0)