"Just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not," explained security researcher Chaotic Eclipse (better known as Nightmare-Eclipse) after they managed to bypass Windows 11's sophisticated BitLocker security feature using a USB stick.
The security sleuth posted the zero-day exploit known as YellowKey, which essentially enabled them to access a locked file. As explained by our friends over at Tom's Hardware:
"The process is dead simple: grab any USB stick, get write access to the "System Volume Information," and copy into it the "FsTx" folder and its contents. Shift+click Restart to get Windows to the recovery environment, but then switch to holding down the Control key and don't let go. The machine will reboot, and without asking any questions or showing any menus, will drop you in an elevated command line with full access to the formerly Bitlocked drive, without asking for any keys."
Eclipse indicated that they "could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft." Earlier this week, the tech giant indicated that it is tracking the YellowKey zero-day exploit under CVE-2026-45585 and shared mitigation measures to prevent the zero-day exploit from gaining unauthorized access to protected drives (via Bleeping Computer).
Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices.
Microsoft
The company says the mitigation measures it provides can be implemented as a safeguard against the vulnerability until it releases a security update for the issue. The process will involve removing the autofstx.exe entry from the Session Manager's BootExecute REG_MULTI_SZ value.
Consequently, you’ll need to restore BitLocker’s trust in WinRE by following the procedure outlined under Mitigations. In the meantime, Microsoft recommends changing BitLocker’s configuration on encrypted devices from TPM-only mode to TPM+PIN mode using PowerShell, the command line, or the Control Panel. This adjustment requires a pre-boot PIN to decrypt the drive at startup and is expected to block YellowKey attacks.
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.
