- Microsoft has released a mitigation for a critical BitLocker bypass flaw called “YellowKey” (CVE-2026-45585).
- The vulnerability allows attackers with physical access to circumvent device encryption on Windows 11 and Server 2025 systems using a specially crafted USB drive.
- The primary mitigation involves modifying the Windows Recovery Environment and switching from TPM-only to TPM+PIN authentication for BitLocker.
- The proof of concept was publicly disclosed, violating coordinated vulnerability disclosure practices.
Microsoft moved swiftly this week to address a dangerous security flaw that threatens the core integrity of its BitLocker encryption, a feature widely trusted for securing sensitive data. The vulnerability, publicly disclosed as “YellowKey” and tracked as CVE-2026-45585, presents a direct challenge to the encrypted wallets and private keys stored by cryptocurrency users on affected Windows systems.
It enables a threat actor with physical access to completely bypass BitLocker Device Encryption. Consequently, an attacker could gain unrestricted access to a protected system’s storage, as detailed in a Microsoft advisory.
The exploit involves placing specially crafted files on a USB drive and triggering the Windows Recovery Environment. According to the researcher, holding down the CTRL key then spawns “a shell with unrestricted access to the BitLocker protected volume.”
Microsoft’s mitigation requires administrators to manually modify the WinRE image and system registry. Specifically, they must remove the “autofstx.exe” value to prevent the automatic utility from running, a step security researcher Will Dormann explained on social media.
The company also strongly advises changing the BitLocker configuration for enhanced security. For existing encrypted devices, users should switch from “TPM-only” to “TPM+PIN” mode, which requires a startup PIN.
For devices not yet encrypted, enabling “Require additional authentication at startup” via policy is critical. Meanwhile, this incident underscores the persistent physical attack vectors that can compromise even robust software-based encryption, a sobering reminder for asset holders.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
