Microsoft has disclosed CVE-2026-45585, a Windows security feature bypass dubbed “YellowKey,” that allows attackers to access BitLocker-protected drives without the encryption key — and no patch is available, leaving organizations reliant on manual workarounds to close the exposure window until a fix is released.
The YellowKey Attack Path Through Windows Recovery Environment
The YellowKey attack targets the Windows Recovery Environment (WinRE), a recovery tool built into virtually all Windows installations. An attacker with physical or local access places specially crafted “FsTx” files on a USB drive or the EFI partition of the target device. After the system reboots into WinRE, holding CTRL triggers a shell that grants unrestricted access to the BitLocker-protected storage volume — without requiring the encryption key or PIN.
The attack path is accessible to anyone who can briefly handle the device. WinRE is present on essentially every Windows machine by default, and the FsTx technique works against BitLocker deployments configured in TPM-only mode — the default for many enterprise installations — because TPM-only mode does not require a PIN or password at boot. An attacker faces no additional authentication challenge once they have the device in hand.
Microsoft’s Decision to Disclose Without a Patch
Microsoft issued CVE-2026-45585 without an accompanying security update, explicitly stating it is “issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.” No patch release timeline has been published. The disclosure-without-patch approach is uncommon for Microsoft and reflects the company’s judgment that organizations need to begin acting before a fix is ready.
Three Mitigations Available While the Patch Is Pending
Three interim measures are available. First, administrators can remove the autofstx.exe entry from the BootExecute value under the Session Manager registry key, which removes the mechanism the attack relies on to trigger the shell. Second, switching BitLocker from TPM-only mode to TPM+PIN mode closes the bypass by requiring a PIN at boot that an attacker does not possess. Third, enabling “Require additional authentication at startup” through Group Policy or Microsoft Intune enforces the TPM+PIN requirement at scale across managed endpoints.
BitLocker’s Role in Enterprise Data-at-Rest Protection
BitLocker is the default full-disk encryption solution for Windows 11 and Windows Server and is widely deployed in enterprise environments as the primary control against data exposure from lost or stolen devices. The security model depends on the assumption that an attacker who recovers a device — from a lost laptop, a stolen vehicle, or a border crossing seizure — cannot extract its contents. An unpatched bypass that requires only brief physical access directly breaks that assumption.
Elevated Risk for Organizations Running TPM-Only BitLocker Configurations
Organizations that have not configured TPM+PIN mode face the greatest exposure from YellowKey. Many enterprise BitLocker deployments default to TPM-only mode because it enables silent, PIN-free boot — a convenience trade-off that the YellowKey bypass now makes costly. Security teams should audit BitLocker configurations to determine whether TPM+PIN is enforced via policy, with priority given to devices assigned to executives, field personnel, and travelers who carry sensitive data and face elevated risk of physical device loss or seizure.
The combination of no patch and a technically simple attack vector makes interim mitigation deployment time-sensitive for any organization that treats disk encryption as a meaningful data protection control.
