Microsoft has issued emergency mitigation guidance for CVE-2026-45585, a zero-day vulnerability dubbed YellowKey that bypasses Windows BitLocker full-disk encryption using nothing more than a USB stick and brief physical access to the target machine. No patch is currently available, and the proof-of-concept exploit has been publicly released, prompting Microsoft to urge organizations to apply manual workarounds immediately.

The vulnerability was discovered by an anonymous researcher operating under the alias Nightmare-Eclipse, who publicly released the exploit on May 12 after expressing frustration with how the Microsoft Security Response Center handled previous vulnerability reports. Independent security researchers including Kevin Beaumont and Will Dormann of Tharros Labs confirmed the exploit works as described. YellowKey is one of five zero-day vulnerabilities the researcher has dropped since April 2026.

The attack exploits the Windows Recovery Environment and Transactional NTFS behavior. An attacker places specially crafted FsTx directory files onto a USB drive, then reboots the target machine into WinRE. Windows automatically replays NTFS transaction logs from attached drives, causing the FsTx Auto Recovery Utility to execute and delete the winpeshl.ini configuration file. With this file removed, WinRE falls back to launching a command prompt with unrestricted access to the now-decrypted BitLocker volume.

Will Dormann noted that the vulnerable component autofstx.exe exists only inside the WinRE image and is absent from normal Windows installations. The researcher claimed a variant can bypass even TPM plus PIN configurations, though this more advanced exploit was withheld. The vulnerability affects Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025.

Microsoft stated it is issuing the CVE to provide mitigation guidance that can be implemented until a security update becomes available. The company also expressed concern that the proof-of-concept was released publicly in violation of coordinated vulnerability disclosure practices.

Organizations should apply the manual remediation by mounting the WinRE image, removing autofstx.exe from the Session Manager BootExecute registry value, and reestablishing BitLocker trust. As defense-in-depth, administrators should switch BitLocker from the default TPM-only mode to TPM plus PIN mode and combine it with a BIOS password to reduce the risk of physical access attacks.