Microsoft has taken significant steps to address the recently uncovered YellowKey vulnerability, a zero-day flaw in Windows BitLocker that poses a risk to protected drives. This security issue was brought to light last week by an anonymous researcher known as ‘Nightmare Eclipse,’ who characterized it as a backdoor and provided a proof-of-concept (PoC) exploit.
According to Nightmare Eclipse, the exploitation process involves placing specially crafted ‘FsTx’ files onto a USB drive or EFI partition, rebooting into the Windows Recovery Environment (WinRE), and then gaining unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key. This revelation follows the researcher’s earlier disclosures of other zero-day vulnerabilities, including BlueHammer (CVE-2026-33825) and RedSun, both of which are currently being exploited in the wild.
In a series of disclosures, Nightmare Eclipse also revealed GreenPlasma, a privilege escalation issue that allows attackers to obtain a SYSTEM shell, and UnDefend, which can be exploited to obstruct Microsoft Defender definition updates. The motivations behind these disclosures appear to stem from dissatisfaction with how Microsoft’s Security Response Center (MSRC) has managed previous vulnerability reports.
Microsoft shares YellowKey mitigations
In response to the YellowKey vulnerability, Microsoft has assigned it the identifier CVE-2026-45585 and has released mitigation strategies to help protect against potential exploitation. In a recent advisory, Microsoft stated, “We are aware of a security feature bypass vulnerability in Windows publicly referred to as ‘YellowKey.’ The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices.”
To mitigate the risks associated with YellowKey, Microsoft recommends several measures:
- Remove the autofstx.exe entry from the Session Manager’s BootExecute REGMULTISZ value.
- Reestablish BitLocker trust for WinRE by following the procedures outlined in the CVE-2026-33825 advisory.
Will Dormann, a principal vulnerability analyst at Tharros, elaborated on the mitigation process: “By preventing the FsTx Auto Recovery Utility, autofstx.exe, from automatically starting when the WinRE image launches, you eliminate the Transactional NTFS replaying that deletes winpeshl.ini.”
Furthermore, Microsoft advises customers to adjust BitLocker settings on already encrypted devices from “TPM-only” mode to “TPM+PIN” mode. This adjustment can be made via PowerShell, the command line, or the control panel, requiring a pre-boot PIN for drive decryption at startup, effectively blocking potential YellowKey attacks.
For devices that are not yet encrypted, administrators can enable the “Require additional authentication at startup” option through Microsoft Intune or Group Policies, ensuring that the “Configure TPM startup PIN” is set to “Require startup PIN with TPM.”
