thehackernews.com via Reddit

Microsoft BitLocker bypass leaves Windows 11 exposed

microsoft cybersecurity windows-security bitlocker cve zero-day

Key insights

  • Microsoft confirmed no full patch exists; enterprises must manually modify WinRE or enforce TPM+PIN to close CVE-2026-45585.
  • YellowKey grants full read-write encrypted volume access via a pre-boot shell requiring only brief physical device access.
  • A circulating public proof-of-concept converts the flaw from theoretical to actively exploitable by low-sophistication attackers.

Why this matters

BitLocker is the default encryption standard across Windows enterprise fleets, and a bypass with no patch means every affected machine requires manual remediation at scale rather than a routine update. The shift from TPM-only to TPM+PIN fundamentally disrupts operational workflows for unattended systems like kiosks, ATMs, and field devices that cannot support interactive pre-boot authentication. With a public PoC already circulating, the window before opportunistic exploitation narrows to weeks, forcing security teams to reprioritize remediation ahead of other patch cycles.

Summary

A physical-access vulnerability in Windows 11 and Windows Server 2025 lets an attacker spawn an unrestricted shell during WinRE pre-boot recovery, bypassing BitLocker encryption entirely. CVE-2026-45585, dubbed 'YellowKey', exploits how autofstx.exe is handled in the Windows Recovery Environment, handing over full read-write volume access without a PIN or TPM key. Microsoft has acknowledged the flaw but has no patch ready. Essentially: (Microsoft, enterprise IT teams) face an open exposure window while a public proof-of-concept already circulates. - Mitigations are limited to two options: strip autofstx.exe from the WinRE registry image, or enforce TPM+PIN via PowerShell or Group Policy. - Every Windows 11 version and Windows Server 2025 is affected, with no hardware exceptions listed. - The public PoC converts a theoretical flaw into an operational one for anyone with brief device access. Unattended kiosks and laptop fleets in field environments are the highest-risk category until Microsoft ships a proper patch.

Potential risks and opportunities

Risks

  • Enterprise IT teams managing large TPM-only BitLocker fleets face manual, machine-by-machine remediation with no automated patch, creating a long tail of physically exploitable devices during the exposure window
  • Unattended kiosk operators in retail, healthcare, and banking running Windows 11 cannot adopt TPM+PIN without redesigning pre-boot authentication flows, leaving them exposed until a full patch ships
  • Government and defense contractors using Windows Server 2025 in physically accessible environments risk compliance failures if auditors classify the unpatched CVE-2026-45585 as an open critical vulnerability under FedRAMP or CMMC frameworks

Opportunities

  • Endpoint management vendors with automated WinRE remediation and policy enforcement capabilities (Tanium, Ivanti, Microsoft Intune) can accelerate enterprise deployments targeting the TPM+PIN migration workflow
  • Hardware security vendors offering TPM+PIN-compatible pre-boot authentication gain an immediate, urgency-driven sales argument for device refresh cycles at affected enterprise accounts
  • Managed service providers specializing in regulated-industry Windows fleet management (Booz Allen Digital, Leidos IT divisions) can position emergency remediation engagements directly against the unpatched exposure timeline

What we don't know yet

  • Whether Microsoft has a committed patch timeline for CVE-2026-45585 or whether the flaw will remain mitigation-only beyond the next Patch Tuesday cycle
  • Whether removing autofstx.exe from the WinRE image fully closes the attack surface or introduces secondary recovery failures on specific hardware configurations
  • Origin and coordination status of the YellowKey PoC -- whether it emerged from a responsible disclosure process or was independently published without vendor coordination

Originally reported by thehackernews.com

Read the original article →

Original headline: Microsoft Releases Mitigation for 'YellowKey' BitLocker Bypass CVE-2026-45585 — Physical-Access PoC Published