Microsoft Rushes to Mitigate Dangerous New “YellowKey” Windows Exploit

The newly exposed Windows security flaw, dubbed “YellowKey,” has become a major headache for Microsoft. After the exploit details leaked publicly alongside a working proof-of-concept, the company has now rushed out official mitigation guidance while it prepares a permanent fix.

The vulnerability reportedly targets BitLocker-protected systems and could allow attackers direct access to encrypted Windows drives under certain conditions. Microsoft is now tracking the issue as CVE-2026-45585.

YellowKey reportedly bypasses BitLocker protections

The exploit was disclosed last week by security researcher “Nightmare Eclipse,” who has recently been dumping multiple Windows zero-days online. According to the researcher, YellowKey abuses specially crafted “FsTx” files placed on either a USB drive or EFI partition.

Once triggered through Windows Recovery Environment (WinRE), attackers can reportedly launch a shell with unrestricted access to the protected storage volume simply by holding the CTRL key during the process. Needless to say, this isn’t something system administrators want to hear.

Interestingly, YellowKey is only the latest in a string of proof of concepts from the same researcher. Previously, the same researcher disclosed BlueHammer, GreenPlasma, RedSun, and UnDefend, several of which reportedly enable privilege escalation or interfere with Microsoft Defender protections.

Microsoft wants admins changing BitLocker settings immediately

Microsoft says the exploit bypasses a security feature rather than directly breaking BitLocker encryption itself. However, the company is recommending multiple defensive steps immediately. One mitigation involves removing the autofstx.exe entry from Session Manager’s BootExecute registry value to stop the FsTx recovery utility from automatically launching inside WinRE.

The company is also strongly recommending switching devices away from TPM-only BitLocker setups toward TPM+PIN authentication. In simple words, users would need to manually enter a startup PIN before Windows unlocks encrypted drives. Meanwhile, admins can configure the newer requirement using PowerShell, Group Policy, Intune, or Control Panel settings.

As of now, Microsoft hasn’t shared a release date for an actual security patch. But we hope it lands as soon as possible.