MICROSOFT has rolled out mitigations for YellowKey, a recently disclosed zero-day vulnerability leading to a BitLocker bypass, now tracked as CVE-2026-45585 with a CVSS of 6.8. The flaw can be triggered by an attacker with physical access using a USB drive containing the YellowKey exploit code and rebooting into Windows Recovery Environment, where instead of WinRE, a shell is spawned, exposing the underlying partition’s contents.
According to Microsoft, a successful exploit could allow bypassing BitLocker Device Encryption on the system storage device and access to encrypted data. The mitigations prevent the FsTx Auto Recovery utility (autofstx[.]exe) from automatically running during the WinRE image’s initiation, a change described by Tharros Labs senior principal vulnerability analyst Will Dormann.
The underlying issue involves triggering FsTx from a USB drive to delete the winpeshl[.]ini file, which controls WinRE’s behaviour, enabling the attack to serve a command prompt with BitLocker effectively unlocked.