Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass
The exploitation is mitigated by preventing the FsTx Auto Recovery Utility from starting when the WinRE image launches. The post Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass appeared first on SecurityWeek .
AI Analysis
Technical Summary
YellowKey (CVE-2026-45585) is a physical access exploit that bypasses BitLocker encryption by manipulating the Windows Recovery Environment. It leverages the FsTx Auto Recovery Utility (autofstx.exe) triggered from a USB drive to delete the winpeshl.ini file, which controls WinRE behavior. This deletion causes WinRE to launch a command prompt instead of the recovery environment, exposing the encrypted system partition without BitLocker protection. Microsoft’s mitigation involves removing autofstx.exe from the WinRE image and reestablishing BitLocker trust, effectively preventing the exploit from running. The vulnerability affects systems using BitLocker with TPM-only or TPM+PIN configurations, though the latter may still be vulnerable. The exploit requires physical access and reboot into recovery mode. The underlying issue also suggests a potential vulnerability in Transactional NTFS replay capabilities.
Potential Impact
An attacker with physical access can bypass BitLocker encryption on the system storage device by exploiting this vulnerability, gaining access to encrypted data without needing the encryption key. This compromises the confidentiality of data protected by BitLocker on affected systems. The exploit requires rebooting into recovery mode with a specially crafted USB drive. Systems relying solely on TPM protection or TPM+PIN may be affected, though adding a PIN is recommended. There are no known exploits in the wild at this time.
Mitigation Recommendations
Microsoft has released official mitigations that prevent the FsTx Auto Recovery Utility from running during the WinRE image launch. Defenders should follow Microsoft's multi-stage process to mount the WinRE image, remove autofstx.exe, and reestablish BitLocker trust. Additionally, enabling a BitLocker PIN is recommended to add an extra layer of protection, though it may not fully prevent exploitation. Since this is not a cloud service, patch status is based on Microsoft's advisory, which confirms mitigations are available. Organizations should apply these mitigations promptly to prevent exploitation.
Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass
Description
The exploitation is mitigated by preventing the FsTx Auto Recovery Utility from starting when the WinRE image launches. The post Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass appeared first on SecurityWeek .
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
YellowKey (CVE-2026-45585) is a physical access exploit that bypasses BitLocker encryption by manipulating the Windows Recovery Environment. It leverages the FsTx Auto Recovery Utility (autofstx.exe) triggered from a USB drive to delete the winpeshl.ini file, which controls WinRE behavior. This deletion causes WinRE to launch a command prompt instead of the recovery environment, exposing the encrypted system partition without BitLocker protection. Microsoft’s mitigation involves removing autofstx.exe from the WinRE image and reestablishing BitLocker trust, effectively preventing the exploit from running. The vulnerability affects systems using BitLocker with TPM-only or TPM+PIN configurations, though the latter may still be vulnerable. The exploit requires physical access and reboot into recovery mode. The underlying issue also suggests a potential vulnerability in Transactional NTFS replay capabilities.
Potential Impact
An attacker with physical access can bypass BitLocker encryption on the system storage device by exploiting this vulnerability, gaining access to encrypted data without needing the encryption key. This compromises the confidentiality of data protected by BitLocker on affected systems. The exploit requires rebooting into recovery mode with a specially crafted USB drive. Systems relying solely on TPM protection or TPM+PIN may be affected, though adding a PIN is recommended. There are no known exploits in the wild at this time.
Mitigation Recommendations
Microsoft has released official mitigations that prevent the FsTx Auto Recovery Utility from running during the WinRE image launch. Defenders should follow Microsoft's multi-stage process to mount the WinRE image, remove autofstx.exe, and reestablish BitLocker trust. Additionally, enabling a BitLocker PIN is recommended to add an extra layer of protection, though it may not fully prevent exploitation. Since this is not a cloud service, patch status is based on Microsoft's advisory, which confirms mitigations are available. Organizations should apply these mitigations promptly to prevent exploitation.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/microsoft-rolls-out-mitigations-for-yellowkey-bitlocker-bypass/","fetched":true,"fetchedAt":"2026-05-20T15:48:33.417Z","wordCount":1065}
Threat ID: 6a0dd7d1ba1db473628c2c9b
Added to database: 5/20/2026, 3:48:33 PM
Last enriched: 5/20/2026, 3:48:49 PM
Last updated: 5/21/2026, 4:54:34 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.