Recently, Microsoft has addressed a critical Windows BitLocker zero-day vulnerability named YellowKey, which allows unauthorized access to protected drives.
The security loophole was brought to light by an anonymous security researcher going by the pseudonym ‘Nightmare Eclipse.’ This individual labeled the vulnerability as a backdoor and even released a proof-of-concept exploit.
Nightmare Eclipse detailed that exploiting this zero-day flaw entails placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, rebooting into WinRE, and triggering a shell with unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key.
Prior to YellowKey, the same researcher disclosed two other local privilege escalation (LPE) zero-day vulnerabilities – BlueHammer (CVE-2026-33825) and RedSun. Additionally, they exposed GreenPlasma, a privilege-escalation security issue allowing attackers to obtain a SYSTEM shell, and UnDefend, a zero-day enabling attackers with standard user permissions to block Microsoft Defender definition updates.
Although the motivation behind these exploit disclosures remains unclear, Nightmare Eclipse previously expressed dissatisfaction with how Microsoft’s Security Response Center handled their reported security flaws in the past.
Microsoft acknowledged the YellowKey flaw under CVE-2026-45585 and provided mitigation measures to counter potential attacks leveraging the vulnerability.
In an advisory released on Tuesday, Microsoft stated, “Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as ‘YellowKey’. The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices.”
To mitigate YellowKey attacks, Microsoft recommended removing the autofstx.exe entry from the Session Manager’s BootExecute REG_MULTI_SZ value and reestablishing BitLocker trust for WinRE by following the outlined procedure in the CVE-2026-33825 advisory.
Furthermore, Microsoft advised configuring BitLocker on already encrypted devices from “TPM-only” mode to “TPM+PIN” mode, requiring a pre-boot PIN for decryption during startup to thwart YellowKey attacks.
For devices yet to be encrypted, administrators can enable the “Require additional authentication at startup” option via Microsoft Intune or Group Policies, ensuring that “Configure TPM startup PIN” is set to “Require startup PIN with TPM.”
Automated pentesting tools offer significant value, primarily assessing if an attacker can navigate through the network. However, they may not thoroughly evaluate whether your controls effectively block threats, your detection rules trigger, or your cloud configurations remain secure.
This comprehensive guide delves into the crucial 6 areas that require validation.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
