Microsoft Criticizes YellowKey PoC as Researcher Fires Back

Microsoft has published mitigation guidance for a newly disclosed Windows BitLocker bypass vulnerability known as YellowKey. The flaw, tracked as CVE-2026-45585, targets the Windows Recovery Environment and could let attackers bypass BitLocker protections under certain conditions.

The issue gained attention after security researcher Nightmare-Eclipse released a public proof-of-concept exploit. Microsoft criticized the release, saying it did not follow coordinated vulnerability disclosure practices and could increase risks for users before a complete security update becomes available.

Microsoft and researcher clash again

The dispute follows earlier tensions between Microsoft and Nightmare-Eclipse around previous proof-of-concept releases, including BlueHammer. After that disagreement, the researcher also released tools and projects named RedSun, UnDefend, GreenPlasma, and MiniPlasma.

Nightmare-Eclipse rejected Microsoft’s criticism and accused the company of harming their reputation. The researcher also claimed Microsoft revoked and later wiped access to their Microsoft Security Response Center account.

Microsoft has not publicly addressed those specific allegations, but the company continues to warn against releasing exploit code before patches are widely available.

How the YellowKey attack works

According to the published details, YellowKey affects the Windows Recovery Environment and relies on physical access to a device. The attack uses a USB device together with a specially prepared FsTx folder to interfere with BitLocker protections.

The vulnerability mainly raises concerns for stolen or unattended laptops, especially devices used outside corporate environments. Organizations that rely on BitLocker to protect sensitive data could face increased risks if attackers gain direct access to affected systems.

Microsoft releases interim mitigation

Microsoft has now released an interim mitigation script designed to reduce the attack surface until a permanent fix arrives. The company recommends applying the mitigation on systems exposed to higher theft risks, particularly work laptops and mobile enterprise devices.

The guidance focuses on limiting exploitation opportunities through the Windows Recovery Environment while Microsoft prepares a broader security update.

BitLocker remains one of Windows’ most widely used encryption features for protecting business and personal data. Even vulnerabilities that require physical access can become serious concerns for enterprises managing remote workers and traveling employees.

The public release of exploit code also highlights the growing tension between independent security researchers and major vendors over disclosure timelines, proof-of-concept publication, and vulnerability handling policies.

Via Neowin