Zero day alert: CVE-2026-45585

CVE-2026-45585 is a Windows security feature bypass zero-day vulnerability, publicly known as “YellowKey", that targets the protections provided by Microsoft BitLocker full-disk encryption.

This vulnerability can allow an attacker with physical access to a Windows device to:

Bypass BitLocker protection mechanisms
Access encrypted data on the system without authorization
Potentially gain administrative command shell access in the Windows Recovery Environment (WinRE)
Compromise the confidentiality, integrity, and availability of data on the device

This exploit abuses the Windows Recovery Environment by manipulating NTFS transaction logs and recovery configuration files. This can force WinRE to launch a privileged command prompt while the disk remains transparently decrypted by the TPM. Affected systems include certain versions of Windows 11 and Windows Server 2025.

Vulnerability details:

Vulnerability type: Security Feature Bypass
CVSS score: 6.8
Attack vector: Physical access required
User interaction: None

Microsoft has officially disclosed CVE-2026-45585 today. While a permanent patch is not yet available, Microsoft has released a mitigation script that removes the “autofstx.exe” entry from the BootExecute REG_MULTI_SZ value in the offline SYSTEM registry hive of the Windows Recovery Environment (WinRE), preventing the executable from running during boot. To know more about the mitigation refer to:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585

Regards,

The ManageEngine Team