Microsoft Releases Mitigations for 'YellowKey' Windows BitLocker Zero-Day
**Microsoft** has issued mitigations for 'YellowKey' (**CVE-2026-45585**), a recently disclosed Windows BitLocker zero-day vulnerability that could allow unauthorized access to protected drives. The vulnerability, revealed by an anonymous researcher known as 'Nightmare Eclipse,' involves manipulating 'FsTx' files to bypass BitLocker encryption.
## YellowKey: A BitLocker Bypass
The 'YellowKey' vulnerability, disclosed by 'Nightmare Eclipse,' allows attackers to gain unauthorized access to **BitLocker**-protected drives. The researcher published a proof-of-concept (PoC) exploit demonstrating how specially crafted 'FsTx' files placed on a USB drive or EFI partition can be used to trigger a shell with unrestricted access to the storage volume.
'Nightmare Eclipse' has been actively disclosing zero-day vulnerabilities, including **BlueHammer** (CVE-2026-33825) and **RedSun**, citing dissatisfaction with **Microsoft**'s Security Response Center (**MSRC**)'s handling of previous vulnerability disclosures. Other disclosed vulnerabilities include **GreenPlasma** and **UnDefend**.
## Microsoft's Response: Mitigations for CVE-2026-45585
**Microsoft** is now tracking the 'YellowKey' flaw as **CVE-2026-45585** and has released mitigation measures to protect against potential exploitation.
"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey'. The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices," **Microsoft** stated in an advisory.
The recommended mitigations include:
* Removing the `autofstx.exe` entry from the Session Manager's BootExecute REG_MULTI_SZ value.
* Re-establishing BitLocker trust for WinRE, as detailed in the CVE-2026-33825 advisory.
* Configuring BitLocker on already encrypted devices from "TPM-only" mode to "TPM+PIN" mode.
* Enabling the "Require additional authentication at startup" option via **Microsoft Intune** or Group Policies for devices not yet encrypted, ensuring that "Configure TPM startup PIN" is set to "Require startup PIN with TPM."
According to Will Dormann, principal vulnerability analyst at **Tharros**, preventing `autofstx.exe` from automatically starting when the WinRE image launches prevents the Transactional NTFS replaying that deletes `winpeshl.ini`.
## The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
[Download Now](https://hubs.li/Q048zztN0)