PT-2026-42025 · Microsoft · Windows
Morse
·
Published
2026-05-12
·
Updated
2026-06-16
·
CVE-2026-45585
CVSS v2.0
7.2
High
| Vector | AV:L/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Windows 11
Windows Server 2022
Windows Server 2025
Description
A security feature bypass known as YellowKey affects the BitLocker component in Windows. This issue allows an attacker with physical access to a device to bypass full-disk encryption and gain unauthorized access to protected information without a recovery key. The attack abuses the Windows Recovery Environment (WinRE) by using a malicious
System Volume InformationFsTx directory on a USB drive or EFI partition. By replaying NTFS transaction logs, the attacker can delete the winpeshl.ini file, which forces WinRE to drop to a command prompt (cmd.exe) while the volume remains transparently decrypted by the TPM. Once administrative shell access is gained, the manage-bde function can be used to extract the BitLocker Recovery Key. This specifically targets default TPM-only deployments; systems using TPM plus PIN are not exploitable via this method.Recommendations
For Windows 11, Windows Server 2022, and Windows Server 2025, implement the following measures:
- Transition from TPM-only BitLocker configurations to TPM plus PIN or a Startup Key via Group Policy.
- Remove
autofstx.exefrom the WinREBootExecuteconfiguration. - Restrict and harden the Windows Recovery Environment (WinRE).
- Tighten BIOS and UEFI protections and enforce strict physical access controls.
- Monitor System logs for recent WinRE boot events and unexpected executions of the
manage-bdefunction.
Exploit
Fix
DoS
Protection Mechanism Failure
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Windows