Microsoft shares mitigation for YellowKey Windows zero-day

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-yellowkey-windows-zero-day/

ONE SENTENCE SUMMARY:

Microsoft issued mitigations for YellowKey BitLocker zero-day, detailing registry, WinRE, and TPM+PIN changes to reduce exploitation risk.

MAIN POINTS:

1. YellowKey is a Windows BitLocker zero-day enabling access to protected drives.
2. Anonymous researcher “Nightmare Eclipse” disclosed it and released a proof-of-concept exploit.
3. Exploitation uses crafted FsTx files on USB/EFI, booting into WinRE.
4. Holding CTRL reportedly triggers an unrestricted shell against BitLocker-protected volumes.
5. Microsoft tracks YellowKey as CVE-2026-45585 and published interim mitigations.
6. Guidance includes removing autofstx.exe from Session Manager BootExecute registry value.
7. Mitigation requires reestablishing BitLocker trust for WinRE using CVE-2026-33825 procedures.
8. Analyst explanation: blocking autofstx.exe stops NTFS replay deleting winpeshl.ini.
9. Microsoft recommends switching encrypted devices from TPM-only to TPM+PIN pre-boot authentication.
10. For unencrypted devices, enforce additional startup authentication via Intune/Group Policy settings.

TAKEAWAYS:

1. Treat WinRE and boot-time paths as critical attack surfaces for BitLocker bypasses.
2. Implement registry and WinRE trust hardening immediately while awaiting a security update.
3. Enforcing TPM+PIN materially raises the bar against pre-boot local bypass techniques.
4. Public PoCs increase likelihood of real-world exploitation, demanding rapid configuration changes.
5. Validate security controls beyond pentest “reachability,” including detection and configuration effectiveness.