Microsoft has shared temporary mitigation steps for YellowKey, a newly disclosed Windows BitLocker zero-day vulnerability that could allow attackers to access protected drives.
The flaw was recently disclosed by an anonymous security researcher known as “Nightmare Eclipse,” who described it as a backdoor and also published a proof-of-concept exploit. According to the researcher, the attack involves placing specially crafted “FsTx” files on a USB drive or EFI partition, rebooting the system into Windows Recovery Environment, and then holding the CTRL key to trigger a shell with unrestricted access to the BitLocker-protected volume.
Microsoft is now tracking the vulnerability as CVE-2026-45585. In an advisory published on Tuesday, the company said it is aware of the security feature bypass issue publicly known as YellowKey and is providing mitigation guidance until a security update becomes available.
The company said the public proof-of-concept was released in a way that violated coordinated vulnerability disclosure best practices. Microsoft advised customers to remove the autofstx.exe entry from the Session Manager’s BootExecute REG_MULTI_SZ value and then reestablish BitLocker trust for WinRE by following the mitigation process listed in its CVE-2026-33825 advisory.
Security expert Will Dormann explained that this mitigation prevents the FsTx Auto Recovery Utility, autofstx.exe, from automatically launching when the Windows Recovery Environment image starts. As a result, the Transactional NTFS replay process that deletes winpeshl.ini no longer occurs.
Microsoft also recommended that customers move already encrypted devices from “TPM-only” BitLocker mode to “TPM+PIN” mode. This can be done through PowerShell, the command line, or Control Panel. By requiring a pre-boot PIN before the drive can be decrypted, this setting should help block YellowKey attacks.
For devices that have not yet been encrypted, administrators can enable the “Require additional authentication at startup” option through Microsoft Intune or Group Policy. Microsoft also advised making sure the “Configure TPM startup PIN” setting is changed to “Require startup PIN with TPM.”
YellowKey is the latest in a series of zero-day disclosures from Nightmare Eclipse. Last month, the same researcher disclosed BlueHammer, tracked as CVE-2026-33825, and RedSun, which currently has no identifier. Both are local privilege escalation flaws and are now reportedly being exploited in attacks.
The researcher also leaked details about GreenPlasma, a privilege escalation issue that can be abused to gain a SYSTEM shell, along with UnDefend, another zero-day that can allow attackers with standard user permissions to block Microsoft Defender definition updates.
The exact reason behind the recent wave of exploit leaks remains unclear. However, Nightmare Eclipse previously said the disclosures were a protest against how Microsoft’s Security Response Center handled earlier vulnerability reports they submitted.





