Skip to main content
CybersecurityVulnerability Management

Microsoft Discloses Mitigations for YellowKey Windows Zero-Day Vulnerability

Windows laptop screen on a desk in a modern office with a blurred interface displayed.

"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey'. The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices," Microsoft said in a Tuesday advisory.

Microsoft assigns CVE-2026-45585 and issues interim guidance

Microsoft said it is tracking YellowKey under CVE-2026-45585 and is issuing mitigation guidance "to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available." The company’s advisory followed a public proof-of-concept (PoC) release that Microsoft described as a violation of coordinated disclosure norms.

How the YellowKey exploit works, according to the public disclosure

The PoC and accompanying disclosure posted by an anonymous researcher who uses the handle "Nightmare Eclipse" describe YellowKey as a Windows BitLocker zero-day that grants access to protected drives. Nightmare Eclipse wrote that exploiting the flaw involves placing specially crafted "FsTx" files on a USB drive or EFI partition, rebooting into the Windows Recovery Environment (WinRE), and then triggering a shell with unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key.

Microsoft's specific mitigations: block autofstx.exe and require a pre-boot PIN

Microsoft's guidance recommends two principal actions:

  • Remove the autofstx.exe entry from the Session Manager's BootExecute REG_MULTI_SZ value and then reestablish BitLocker trust for WinRE by following the procedure detailed under "Mitigations" in the CVE-2026-33825 advisory.
  • For already encrypted devices, configure BitLocker from "TPM-only" mode to "TPM+PIN" mode via PowerShell, the command line, or the Control Panel so a pre-boot PIN is required to decrypt the drive at startup. For devices not yet encrypted, administrators can enable the "Require additional authentication at startup" option via Microsoft Intune or Group Policies and ensure that "Configure TPM startup PIN" is set to "Require startup PIN with TPM."

Security analyst Will Dormann of Tharros summarized the first mitigation point: "Specifically, you prevent the FsTx Auto Recovery Utility, autofstx.exe, from automatically starting when the WinRE image launches. With this change, the Transactional NTFS replaying that deletes winpeshl.ini no longer happens." Microsoft advised following the reestablishment steps in the earlier CVE-2026-33825 mitigations for restoring BitLocker trust.

Context: multiple disclosures and a pattern from the same researcher

The YellowKey advisory is part of a recent sequence of disclosures and leaks attributed to Nightmare Eclipse. Last month the researcher disclosed BlueHammer (CVE-2026-33825) and RedSun (no identifier), described as local privilege escalation zero-days that are now being exploited in attacks. The researcher also leaked GreenPlasma, a zero-day privilege-escalation issue that attackers can abuse to obtain a SYSTEM shell, and UnDefend, a zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates.

Nightmare Eclipse has said these disclosures were made in protest of how Microsoft’s Security Response Center (MSRC) handled the disclosure process for other security flaws the researcher reported in the past. The advisory from Microsoft notes the PoC was made public and frames the CVE issuance as a mechanism to provide protective steps until an official security update is released.

What this means for technologists, enterprise admins, and end users

  • Technologists and security teams: Implement the autofstx.exe removal from BootExecute and follow the reestablishment procedure for WinRE trust in CVE-2026-33825; for encrypted systems, plan to switch devices from "TPM-only" to "TPM+PIN" via supported management tools.
  • Enterprise administrators and procurement leaders: If devices are not yet encrypted, deploy "Require additional authentication at startup" via Intune or Group Policies and set "Configure TPM startup PIN" to "Require startup PIN with TPM"; validate group policy and management workflows to ensure the change can be rolled out at scale.
  • End users and the general public: Where your organization manages device encryption, follow guidance from IT; where you control a device, consider enabling a required startup PIN when enabling BitLocker to block the exploitation path described in the PoC.

Microsoft's release of CVE-2026-45585 and step-by-step mitigations buys time for customers while a security update is pending. The public PoC and the researcher’s stated motive—protest over past vulnerability handling—mean defenders must act on the layered mitigations Microsoft outlined rather than await a patch. Microsoft’s advisory and the referenced CVE-2026-33825 mitigation steps are the authoritative actions the company has published to block the specific exploitation technique described in the public disclosure.

Source: BleepingComputer — Microsoft shares mitigation for YellowKey Windows zero-day