PT-2026-42025 · Microsoft · Windows

Morse

·

Published

2026-05-12

·

Updated

2026-06-16

·

CVE-2026-45585

CVSS v2.0

7.2

High

VectorAV:L/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Windows 11 Windows Server 2022 Windows Server 2025
Description A security feature bypass known as YellowKey affects the BitLocker component in Windows. This issue allows an attacker with physical access to a device to bypass full-disk encryption and gain unauthorized access to protected information without a recovery key. The attack abuses the Windows Recovery Environment (WinRE) by using a malicious System Volume InformationFsTx directory on a USB drive or EFI partition. By replaying NTFS transaction logs, the attacker can delete the winpeshl.ini file, which forces WinRE to drop to a command prompt (cmd.exe) while the volume remains transparently decrypted by the TPM. Once administrative shell access is gained, the manage-bde function can be used to extract the BitLocker Recovery Key. This specifically targets default TPM-only deployments; systems using TPM plus PIN are not exploitable via this method.
Recommendations For Windows 11, Windows Server 2022, and Windows Server 2025, implement the following measures:
  • Transition from TPM-only BitLocker configurations to TPM plus PIN or a Startup Key via Group Policy.
  • Remove autofstx.exe from the WinRE BootExecute configuration.
  • Restrict and harden the Windows Recovery Environment (WinRE).
  • Tighten BIOS and UEFI protections and enforce strict physical access controls.
  • Monitor System logs for recent WinRE boot events and unexpected executions of the manage-bde function.

Exploit

Fix

DoS

Protection Mechanism Failure

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06825
CVE-2026-45585

Affected Products

Windows