CVE-2026-45585 – Windows BitLocker Security Feature Bypass Vulnerability (“YellowKey”)

Microsoft is aware of a publicly disclosed security feature bypass vulnerability in Windows, referred to as “YellowKey”, that affects BitLocker Device Encryption. The vulnerability could allow an attacker with physical access to a target device to bypass BitLocker protections and gain access to encrypted data stored on the system. While exploitation requires physical access, the public disclosure of proof-of-concept details and Microsoft’s assessment of “Exploitation More Likely” increase the urgency for organizations managing mobile or potentially exposed devices.

CVSS Score: 6.8

SEVERITY: Important

THREAT:
This vulnerability threatens the confidentiality of data protected by BitLocker Device Encryption. An attacker who gains physical possession of a vulnerable device could potentially bypass encryption protections and access sensitive information stored on the system. Organizations with mobile workforces, remote employees, or devices that travel outside secured facilities face increased exposure.

EXPLOITS:
Microsoft confirms that the vulnerability has been publicly disclosed and that proof-of-concept information is publicly available. At the time of publication, Microsoft reports that the vulnerability is not actively exploited. Microsoft assesses the vulnerability as Exploitation More Likely. The public disclosure violates coordinated vulnerability disclosure best practices and increases the likelihood that attackers may attempt to reproduce the attack.

TECHNICAL SUMMARY:
The vulnerability is associated with CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection). Successful exploitation could allow an attacker with physical access to bypass BitLocker Device Encryption protections on the system storage device. Microsoft has released mitigation guidance prior to the availability of a security update. The provided mitigation modifies the Windows Recovery Environment (WinRE) configuration by removing autofstx.exe from the BootExecute registry value. This prevents the executable from running during early boot and recovery operations, reducing the risk of exploitation while maintaining BitLocker trust protections.

EXPLOITABILITY:
Affected systems are Windows devices using vulnerable BitLocker Device Encryption configurations. Exploitation requires physical access to the target device. No privileges or user interaction are required. Microsoft states that systems configured with TPM+PIN are not vulnerable to exploitation through this attack path.

BUSINESS IMPACT:
BitLocker is widely deployed to protect sensitive business information on laptops, workstations, and mobile devices. Successful exploitation could expose confidential corporate data, intellectual property, customer information, regulated data, or credentials stored on compromised systems. The risk is particularly significant for devices that are lost, stolen, transported, or used outside controlled environments. Data exposure resulting from encryption bypass can lead to compliance violations, financial losses, and reputational damage.

WORKAROUND:
Until the security update is available:

• Implement Microsoft’s recommended WinRE mitigation script.
• Remove autofstx.exe from the BootExecute registry value as described by Microsoft.
• Enable TPM+PIN protection where feasible, as Microsoft states systems using TPM+PIN are not vulnerable to this attack.
• Strengthen physical security controls for portable devices.
• Ensure lost or stolen device response procedures are in place.

URGENCY:
This vulnerability warrants elevated attention because it is publicly disclosed, a proof-of-concept has been released, and Microsoft assesses exploitation as more likely. Although physical access is required, organizations that rely on BitLocker to protect sensitive information on portable devices should implement mitigations immediately to reduce the risk of unauthorized data access before security updates become available.