Microsoft has moved to contain the newly disclosed Windows zero-day vulnerability, dubbed “YellowKey,” but the company still lacks a permanent fix.
The company on Tuesday updated its advisory with a temporary mitigation script for the flaw, which is said to bypass BitLocker protections by abusing the Windows Recovery Environment (WinRE). The mitigation provides all Windows users with immediate steps to reduce exposure while its engineers work on a more permanent fix via a security update.
Tracked as CVE-2026-45585, YellowKey was publicly disclosed alongside its Proof of Concept (PoC) and targets one of Windows most trusted security protections. Although the attack requires physical access to a device rather than a remote compromise, it raises concerns for users and enterprises that rely on BitLocker to secure lost or stolen laptops.
How YellowKey bypasses BitLocker
The YellowKey vulnerability was one of the two Windows vulnerabilities whose PoCs were released by an enraged security researcher shortly after Microsoft’s May Patch Tuesday.
YellowKey requires a threat actor to have physical access to a target’s computer. And while this may seem insignificant, lost or stolen computers are prime targets, plus insider threats are one way this flaw can compromise users. Confiscation of the device remains a less common but valid risk.
A BitLocker bypass hands over a victim’s entire disk contents for a threat actor to view, modify, or potentially clone. A threat actor just needs to craft a special “FsTx” file to load onto a USB drive, then boot the victim’s computer into Windows Recovery Mode and trigger a shell with unrestricted access by holding down the CTRL key.
Must-read security coverage
What Microsoft recommends now
With YellowKey’s PoC now public, Microsoft has acknowledged the vulnerability.
As an emergency response, the company updated its security advisory on the flaw, including mitigations users can implement now. Even so, Microsoft has expressed its dissatisfaction with how the disclosure was made, saying it goes against “coordinated vulnerability best practices.”
While the company says it hasn’t found any evidence of wild exploitation, it notes that exploitation is likely. It has provided a script users can use to work around the vulnerability while awaiting the patch update.
Refer to Microsoft’s advisory here to copy, then paste the script into your terminal. Although it didn’t say whether the script should be executed as admin, it will most likely require admin privileges to run. Microsoft itself added that the script is designed to be safe and will exit if autofstx.exe is missing on your computer.
For context, autofstx.exe is the exact Windows service that enables the BitLocker bypass, and Microsoft’s mitigation aims to remove it. It also says that installing the specific patch for this flaw when it comes will not have any effect due to the implementation of the workaround.
Another workaround worth knowing is adding a TPM + PIN at startup. That should block the threat actor from accessing WinRE; however, the security researcher in the YellowKey disclosure noted that TPM + PIN can still be exploited, saying that they intentionally withheld the specific PoC demonstrating that.
What admins should watch next
We urge all Windows users who use BitLocker to apply the Windows mitigation script quickly. For the update, we are uncertain when it will be released. But given the gravitas YellowKey carries, it seems Microsoft will likely release a patch before its next Patch Tuesday.
Until Microsoft ships a permanent update, the safest path is to treat YellowKey as a physical-access risk with real enterprise consequences. Admins should review Microsoft’s mitigation, assess whether TPM + PIN is appropriate for their environment, and watch the advisory for patch timing or follow-up guidance.
For admins already dealing with Microsoft’s Windows headaches, the timing is especially rough: the company is also investigating a separate update rollout bug that left some devices missing critical patches.
Read the full article here
