Microsoft has issued mitigations for YellowKey, a newly disclosed Windows BitLocker zero-day tracked as CVE-2026-45585 that can let attackers access protected drives. The flaw was publicly revealed by Nightmare Eclipse, who also disclosed other zero-days including BlueHammer, RedSun, GreenPlasma, and UnDefend. #YellowKey #CVE-2026-45585 #NightmareEclipse #BlueHammer #RedSun #GreenPlasma #UnDefend
Keypoints
- YellowKey is a BitLocker security feature bypass that can expose protected drives.
- Microsoft is tracking the flaw as CVE-2026-45585 and has published mitigation guidance.
- The PoC uses crafted FsTx files, WinRE, and a CTRL key action to trigger access.
- Microsoft recommends removing autofstx.exe from BootExecute and restoring BitLocker trust for WinRE.
- Admins should move BitLocker from TPM-only to TPM+PIN to reduce attack risk.