YellowKey Exploit Exposes TPM-Only BitLocker Gaps in Modern Windows Systems

Posted on Author Steve Granger 0

Answer Brief

Microsoft issued a mitigation for CVE-2026-45585 (YellowKey), a zero-day BitLocker bypass allowing physical-access attackers to trigger an unrestricted shell in WinRE via USB-delivered FsTx files and CTRL key input. The flaw affects Windows 11 versions 24H2, 25H2, 26H1 and Windows Server 2025, revealing a critical limitation in TPM-only encryption that requires multi-factor pre-boot authentication to fully mitigate.

Signal Timeline

A quick visual path for analysts before reading the full brief.

  1. 1

    Public disclosure of YellowKey vulnerability by researcher Chaotic Eclipse via GitHub

  2. 2

    Microsoft releases official mitigation guidance for CVE-2026-45585

USB device connected to laptop illustrating YellowKey exploit vector: triggering WinRE shell via malicious FsTx file and CTRL key input, with mitigation focus on BootExecute registry modification

Executive Summary: Microsoft issued a mitigation for CVE-2026-45585 (YellowKey), a zero-day BitLocker bypass allowing physical-access attackers to trigger an unrestricted shell in WinRE via USB-delivered FsTx files and CTRL key input. The flaw affects Windows 11 versions 24H2, 25H2, 26H1 and Windows Server 2025, revealing a critical limitation in TPM-only encryption that requires multi-factor pre-boot authentication to fully mitigate.

Why It Matters

The YellowKey exploit (CVE-2026-45585) reveals a persistent gap in the threat model of BitLocker when relying solely on TPM-only protection, demonstrating that hardware-based encryption can be circumvented not through cryptographic weakness but via manipulation of the pre-boot authentication flow. By placing specially crafted FsTx files on a USB drive and triggering the WinRE boot sequence, an attacker with physical access can induce the system to execute autofstx.exe — a Transactional NTFS utility — which, under normal circumstances, replays transaction logs to maintain filesystem consistency. However, in this case, the malicious FsTx payload causes the utility to delete winpeshl.ini, the default recovery shell launcher, allowing the attacker to replace it with a malicious executable and spawn an unrestricted shell with full access to the decrypted volume. This bypass does not break AES encryption but instead subverts the trust boundary between the firmware, boot manager, and WinRE, exploiting a behavioral assumption that the recovery environment will only launch legitimate recovery utilities. The CVSS score of 6.8 reflects the exploit’s accessibility: low attack complexity (no credentials, no network, no software install) and high impact (full data access), but mitigated by the requirement for physical access, which limits scalability. Nevertheless, in environments such as corporate offices, shared workstations, kiosks, or scenarios involving device theft, this vector remains highly consequential. The fact that YellowKey affects multiple recent Windows 11 releases (24H2, 25H2, 26H1) and Windows Server 2025 indicates that the vulnerability resides in a core, long-standing component of the Windows recovery architecture rather than a recent code change, suggesting systemic exposure across generations of enterprise-deployed systems. Microsoft’s mitigation strategy operates on two fronts: first, a tactical fix that prevents autofstx.exe from launching during WinRE initialization by editing the BootExecute REG_MULTI_SZ value within the WinRE image, thereby blocking the malicious FsTx trigger; second, a strategic recommendation to adopt TPM+PIN mode, which introduces a knowledge-based protector that cannot be bypassed by shell access alone. This layered approach acknowledges that while registry hardening stops the immediate exploit, true resilience requires multi-factor pre-boot authentication to defend against future variants that might abuse different WinRE components. From an operational standpoint, organizations must now reassess their BitLocker deployment policies. TPM-only, while convenient for user experience, leaves systems vulnerable to pre-boot attacks where an attacker controls the boot environment. Security teams should validate whether their endpoint management tools (Intune, Configuration Manager) can enforce WinRE image integrity and TPM+PIN compliance at scale. Monitoring should focus on anomalous WinRE boot events, unauthorized USB device connections during boot sequences, and changes to BootExecute registry values within recovery images. Additionally, red team exercises should include physical access scenarios targeting WinRE to validate defenses beyond patch levels. The YellowKey case also underscores a broader lesson in disk encryption security: the strength of full-disk encryption is only as robust as its weakest authentication factor. As long as pre-boot authentication relies on a single factor (like TPM) that can be spoofed or bypassed via physical manipulation, encryption remains conditional. Moving forward, enterprises should treat pre-boot authentication as a critical control point, equivalent in importance to network firewalls or endpoint detection, and invest in hardening the entire boot chain — firmware, bootloader, and recovery environment — against unauthorized modification.

Event Type: security
Importance: high

Affected Companies

  • Microsoft

Affected Sectors

  • cybersecurity
  • technology

Key Numbers

  • CVSS Score: 6.8
  • Affected Windows Versions: Windows 11 24H2, 25H2, 26H1; Windows Server 2025

Timeline

  1. Public disclosure of YellowKey vulnerability by researcher Chaotic Eclipse via GitHub
  2. Microsoft releases official mitigation guidance for CVE-2026-45585

Frequently Asked Questions

What is YellowKey and how does it bypass BitLocker?

YellowKey is a zero-day vulnerability (CVE-2026-45585) that allows attackers with physical access to bypass BitLocker encryption by placing malicious 'FsTx' files on a USB drive or EFI partition, triggering a privileged shell in Windows Recovery Environment (WinRE) via CTRL key during boot, abusing a trust assumption in the recovery interface.

Which systems are affected by the YellowKey exploit?

The vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1 for x64-based systems, as well as Windows Server 2025 and its Server Core installation, when BitLocker is enabled and the system can be booted from USB or EFI.

What mitigation steps did Microsoft recommend for YellowKey?

Microsoft advises mounting the WinRE image, removing 'autofstx.exe' from the BootExecute registry value, saving and unloading the hive, recommitting the image, and re-establishing BitLocker trust. It also recommends switching from TPM-only to TPM+PIN authentication to require a startup PIN.

Does YellowKey require network access or credentials to exploit?

No, YellowKey does not require software installation, existing credentials, or network access. It only needs physical access to a USB port and the ability to reboot the target machine, making any Windows device with BitLocker and a USB port a potential target.

Why is TPM+PIN more effective than TPM-only against YellowKey?

TPM+PIN requires a knowledge factor (PIN) during pre-boot authentication, which cannot be bypassed by triggering a shell in WinRE. Even if an attacker gains unrestricted access to the recovery environment via YellowKey, the BitLocker encryption key remains sealed until the correct PIN is entered, effectively blocking decryption of the drive.

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *