Microsoft Details Mitigations for YellowKey Windows BitLocker Zero-Day Exploit

Microsoft shared guidance on Tuesday for the YellowKey Windows BitLocker zero-day, a vulnerability disclosed last week by the anonymous researcher known as ‘Nightmare Eclipse.’ The flaw allows attackers to bypass BitLocker protections and access encrypted drives, undermining the integrity of one of Windows’ core disk encryption mechanisms.

Nightmare Eclipse published a proof-of-concept (PoC) exploit demonstrating how specially crafted FsTx files placed on a USB drive or EFI partition can trigger a shell with unrestricted access to BitLocker-protected volumes when booting into the Windows Recovery Environment (WinRE) and holding the CTRL key. Microsoft assigned this vulnerability CVE-2026-45585 and urged users to workarounds until an official patch is released.

Technical Details of the YellowKey Windows BitLocker Zero-day Exploit

The YellowKey zero-day targets BitLocker, Microsoft’s full-disk encryption feature designed to protect data on Windows devices. BitLocker relies on the Trusted Platform Module (TPM) and optionally a PIN or startup key to secure the encryption keys. The vulnerability exploits the Windows Recovery Environment (WinRE) boot process, specifically the execution of the autofstx.exe utility, which is responsible for replaying Transactional NTFS (TxF) operations to maintain file system integrity.

Exploiting the flaw requires physical access to the device to insert a USB drive or modify the EFI system partition with maliciously crafted FsTx files. These files are designed to manipulate the Transactional NTFS replay mechanism. When the system boots into WinRE, autofstx.exe automatically runs and replays a TxF operation that deletes the winpeshl.ini file, a critical configuration file that normally restricts shell access in WinRE.

By deleting winpeshl.ini, the attacker effectively disables the WinRE shell restrictions, allowing them to spawn an unrestricted command prompt. Holding down the CTRL key during the WinRE boot process triggers this shell, granting full access to the encrypted volume without requiring the BitLocker key or PIN. This bypasses the encryption protections and exposes all data on the drive, including sensitive user files and system information.

The attack chain can be summarized as follows:

1. Attacker gains physical access to the target device.
2. Inserts a USB drive or modifies the EFI partition with specially crafted FsTx files.
3. Reboots the device into Windows Recovery Environment (WinRE).
4. During boot, autofstx.exe runs automatically and replays the TxF operation, deleting winpeshl.ini.
5. Holding the CTRL key triggers an unrestricted command shell in WinRE.
6. Attacker accesses BitLocker-protected volumes without authentication.

This vulnerability s the lesser-known TxF replay mechanism, a feature introduced in Windows Vista for transactional file operations, which has been deprecated but remains present for backward compatibility. The misuse of this mechanism in WinRE to delete critical configuration files is an innovative that bypasses BitLocker’s encryption safeguards.

Nightmare Eclipse described YellowKey as a backdoor and released the PoC publicly, bypassing coordinated disclosure norms. The researcher has also leaked several other zero-days recently, including BlueHammer (CVE-2026-33825), a local privilege escalation (LPE) flaw actively exploited in the wild, and RedSun, another LPE vulnerability without an assigned CVE. These disclosures have raised concerns about the of Windows’ recovery and privilege mechanisms.

Microsoft’s Response and Steps for YellowKey

Microsoft’s advisory acknowledges the flaw and the public PoC release, noting the breach of coordinated vulnerability disclosure protocols. The company assigned CVE-2026-45585 and issued guidance to limit exposure ahead of a security update. The advisory emphasizes that the vulnerability requires physical access and interaction during the WinRE boot process, limiting remote exploitation risk but posing a in scenarios such as lost or stolen devices.

The primary involves removing the autofstx.exe entry from the Session Manager’s BootExecute REG_MULTI_SZ registry value. This stops the FsTx Auto Recovery Utility from starting automatically during WinRE, preventing the Transactional NTFS replay that deletes winpeshl.ini and blocks the shell spawn. Administrators can apply this change via registry editing or PowerShell scripts.

“Specifically, you prevent the FsTx Auto Recovery Utility, autofstx.exe, from automatically starting when the WinRE image launches,” explained Will Dormann, principal vulnerability analyst at Tharros. “With this change, the Transactional NTFS replaying that deletes winpeshl.ini no longer happens.”

Microsoft also recommends reestablishing BitLocker trust for WinRE by following the procedure detailed in the CVE-2026-33825 advisory for BlueHammer, which involves resetting recovery keys and ensuring WinRE is properly configured. This step is critical because improper WinRE configuration can allow attackers to exploit multiple vulnerabilities, including YellowKey.

Furthermore, Microsoft has highlighted the importance of restricting physical access to devices and ensuring that BitLocker recovery keys are securely managed and not stored on easily accessible media. The company is reportedly working on a security update to address the root cause by modifying how autofstx.exe operates during WinRE and hardening TxF replay mechanisms.

Changing BitLocker Authentication to Block YellowKey Windows BitLocker Zero-day Attacks

Microsoft advises switching from “TPM-only” BitLocker mode to “TPM+PIN” mode on already encrypted devices. TPM-only mode allows the device to unlock the drive automatically if the TPM detects no tampering, but this mode is vulnerable to physical bypasses like YellowKey. Adding a PIN requires user interaction during boot, preventing unauthorized access even if the attacker controls the boot environment.

Admins can enable TPM+PIN mode via PowerShell using the Enable-BitLocker cmdlet with the -UsedSpaceOnly and -Pin parameters, or through the Control Panel under BitLocker settings. For devices not yet encrypted, enabling “Require additional authentication at startup” in Group Policy enforces the same protection. This policy is found under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

ing TPM+PIN mode effectively s YellowKey because the exploit cannot bypass the pre-boot PIN prompt, which is enforced before WinRE or any recovery environment can be accessed. This forces attackers to know or brute-force the PIN, significantly raising the difficulty of exploitation.

Background on Nightmare Eclipse’s Exploit Disclosures

Nightmare Eclipse has disclosed multiple zero-day vulnerabilities targeting Windows security features, primarily focusing on local privilege escalations and recovery environment weaknesses. Besides YellowKey, the researcher leaked GreenPlasma, a local privilege escalation allowing SYSTEM shell access by exploiting a race condition in Windows service management, and UnDefend, which blocks Microsoft Defender definition updates from standard user accounts by manipulating Windows Update permissions.

The researcher states these disclosures respond to perceived shortcomings in Microsoft Security Response Center’s handling of past vulnerability reports, including delays and lack of communication. While the exact motivations remain speculative, the public PoCs increase risk for organizations with vulnerable systems by enabling attackers to develop exploits rapidly.

Historically, public zero-day disclosures without prior vendor coordination have led to widespread exploitation, as seen with the WannaCry ransomware outbreak the EternalBlue SMB vulnerability. Microsoft has since emphasized coordinated vulnerability disclosure to balance public awareness with risk .

Affected Systems and Timeline

YellowKey affects Windows 10 and Windows 11 systems with BitLocker enabled and configured to use TPM-only authentication. Both client and server editions are vulnerable if the recovery environment is accessible and autofstx.exe is present in the WinRE image. Systems with custom WinRE images or third-party recovery tools may also be at risk if they include the vulnerable utility.

Microsoft has not announced a timeline for a patch addressing YellowKey. Until then, the recommended s remain the only defense against this bypass of BitLocker protections. Devices relying solely on TPM without a PIN remain vulnerable, highlighting the importance of layered security controls and physical device protection.

Implications for Enterprise Security and Incident Response

The YellowKey vulnerability poses significant challenges for enterprise security teams, particularly those managing large fleets of Windows devices with BitLocker enabled. Since the exploit requires physical access and interaction during the recovery environment boot, reassess their endpoint physical security policies, including device handling, storage, and access controls.

Incident response teams should consider the possibility of undetected YellowKey exploitation in scenarios involving lost or stolen devices. Forensic analysis of WinRE logs and USB device history may provide indicators of compromise, although the transient nature of the attack and lack of persistent artifacts complicate detection.

also audit their BitLocker configurations to ensure TPM+PIN or TPM+Startup Key modes are enforced, reducing the . Group Policy settings can enforce these configurations centrally, and compliance monitoring tools should verify adherence.

Furthermore, the YellowKey exploit underscores the need for robust recovery key management. Recovery keys should never be stored locally or on removable media accessible to unauthorized users. Instead, keys should be escrowed securely in Active Directory or Azure Active Directory, with strict access controls and auditing enabled.

Historical Context of BitLocker Vulnerabilities

BitLocker has been a cornerstone of Windows disk encryption since its introduction in Windows Vista. Despite its robust design, several vulnerabilities have been discovered over the years, often related to key management, TPM interactions, or recovery environments.

For example, in 2016, researchers demonstrated attacks exploiting cold boot vulnerabilities to extract BitLocker keys from memory. Other attacks have targeted TPM firmware or used DMA attacks via Thunderbolt ports to bypass BitLocker protections. YellowKey differs by exploiting the recovery environment’s file system transaction replay to gain unauthorized shell access, representing a novel .

Microsoft has continually updated BitLocker and related components to address these threats, including integrating support for multifactor authentication at startup and improving TPM firmware security. The emergence of YellowKey highlights ongoing challenges in securing recovery environments, which must balance usability and security.

Future Outlook and Patch Expectations

Given the severity of YellowKey and the public availability of the PoC, Microsoft is under pressure to release a security update promptly. The fix will likely involve changes to the WinRE image, specifically disabling or modifying the behavior of autofstx.exe to prevent unauthorized TxF replay operations.

Additionally, Microsoft may introduce enhanced integrity checks for WinRE components and strengthen protections around critical configuration files like winpeshl.ini. These measures will aim to harden the recovery environment against tampering and unauthorized shell access.

Security researchers and enterprise administrators should monitor Microsoft’s security advisories closely and prepare to deploy patches as soon as they become available. In the meantime, applying the recommended s and enforcing stronger BitLocker authentication modes remain essential to protect sensitive data from physical s like YellowKey.