CVE-2026-45585

MEDIUM

Microsoft Windows 11 Version 24H2 - Windows BitLocker Security Feature Bypass Vulnerability

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 28 public exploits for CVE-2026-45585. PoCs published by Nightmare-Eclipse, Mclisterjoeh2o, iDesignStudioz.

AI-analyzed exploit summary This repository describes a BitLocker bypass vulnerability in Windows 11 and Server 2022/2025 via a crafted FsTx folder placed in the System Volume Information directory. The exploit leverages a component in the Windows Recovery Environment (WinRE) to spawn an unrestricted shell, bypassing BitLocker encryption.

Description

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.

Exploits (28)

github WORKING POC 3,663 stars
by Nightmare-Eclipse · pocgithub
https://github.com/Nightmare-Eclipse/YellowKey

This repository describes a BitLocker bypass vulnerability in Windows 11 and Server 2022/2025 via a crafted FsTx folder placed in the System Volume Information directory. The exploit leverages a component in the Windows Recovery Environment (WinRE) to spawn an unrestricted shell, bypassing BitLocker encryption.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Windows 11, Windows Server 2022/2025
No auth needed
Prerequisites: USB stick with NTFS/FAT32/exFAT filesystem · Access to target machine's boot process · Windows Recovery Environment (WinRE) access
mistral-large-3 · analyzed May 20, 2026 Full analysis →
github SUSPICIOUS 29 stars
by Mclisterjoeh2o · typescriptpoc
https://github.com/Mclisterjoeh2o/yellowkey-bitlocker

The repository claims to be a BitLocker bypass tool but contains no actual exploit code. It directs users to download an external ZIP file, which is a common tactic for distributing malware or fake exploits.

Classification
Suspicious 90%
Attack Type
Auth Bypass
Complexity
Theoretical
Reliability
Theoretical
Target: BitLocker (Windows 10/11)
No auth needed
Prerequisites: physical access · bootable USB
mistral-large-3 · analyzed May 23, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by iDesignStudioz · poc
https://github.com/iDesignStudioz/yellowkey-bitlocker

The repository contains a .NET application that distributes files to MetaTrader directories but lacks any exploit code or technical details about CVE-2026-45585. The README is vague and promotional, with no analysis of the vulnerability.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: MetaTrader (MQL4/MQL5)
No auth needed
Prerequisites: Access to local file system
mistral-large-3 · analyzed Jun 13, 2026 Full analysis →
github TROJAN 1 stars
by DepthCoxswain · typescriptpoc
https://github.com/DepthCoxswain/yellowkey-bitlocker-255

The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts an executable, and runs it. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by Lengthlyapipe · typescriptpoc
https://github.com/Lengthlyapipe/yellowkey-bitlocker-813

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: N/A
No auth needed
Prerequisites: victim to run npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by digitalantconverter · typescriptpoc
https://github.com/digitalantconverter/yellowkey-bitlocker-183

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by MysticMite92 · typescriptpoc
https://github.com/MysticMite92/yellowkey-bitlocker-544

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by ColorsShogun · typescriptpoc
https://github.com/ColorsShogun/yellowkey-bitlocker-796

The repository contains a malicious postinstall script that searches for specific files, constructs a ZIP archive, extracts it, and executes an embedded executable. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by digitalantconverter · typescriptpoc
https://github.com/digitalantconverter/yellowkey-bitlocker-365

The repository contains a malicious postinstall script that searches for specific files, constructs a ZIP archive, extracts it, and executes an embedded executable. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Unspecified (likely Windows systems)
No auth needed
Prerequisites: Victim must run `npm install` or similar to trigger the postinstall script
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by Drizzlekolog · typescriptpoc
https://github.com/Drizzlekolog/yellowkey-bitlocker-579

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by Restoireflect · typescriptpoc
https://github.com/Restoireflect/yellowkey-bitlocker-525

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN 1 stars
by ChannelShape · typescriptpoc
https://github.com/ChannelShape/yellowkey-bitlocker-243

The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts it, and executes an embedded .exe. This behavior is characteristic of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github WORKING POC
by SecureWithUmer · c++poc
https://github.com/SecureWithUmer/CVE-2026-PoCs/tree/main/2026/CVE-2026-45585

This repository provides PowerShell scripts for detecting and remediating CVE-2026-45585, a BitLocker/WinRE bypass vulnerability. The scripts mount the Windows Recovery Environment (WinRE) image, inspect/modify the offline SYSTEM hive's BootExecute values to remove malicious 'autofstx.exe' entries, and refresh WinRE registration to restore BitLocker trust.

Classification
Working Poc 98%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Windows Recovery Environment (WinRE) on Windows systems with BitLocker
Auth required
Prerequisites: Local administrator/SYSTEM privileges · 64-bit PowerShell environment · WinRE enabled on the target system · Access to reagentc.exe and reg.exe
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
nomisec SUSPICIOUS
by Desireeontrial76 · poc
https://github.com/Desireeontrial76/yellowkey-bitlocker

The repository claims to provide a BitLocker unlock tool but contains no exploit code. Instead, it includes a generic C# application for distributing files to MetaTrader directories and a JSON library, with a README pushing external downloads.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: BitLocker
No auth needed
Prerequisites: None
mistral-large-3 · analyzed Jun 16, 2026 Full analysis →
nomisec STUB
by ChanderManiPandey2022 · poc
https://github.com/ChanderManiPandey2022/YellowKey-BitLocker-Bypass-CVE-2026-45585-Detect-Fix-Automatically-via-Microsoft-Intune

The repository contains only a single text file with no functional exploit code or technical details. It appears to be a placeholder or incomplete content related to a BitLocker bypass vulnerability.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Microsoft BitLocker (version unspecified)
No auth needed
Prerequisites: none specified
mistral-large-3 · analyzed Jun 08, 2026 Full analysis →
github TROJAN
by SmashMythAmp · typescriptpoc
https://github.com/SmashMythAmp/yellowkey-bitlocker-222

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows systems
No auth needed
Prerequisites: victim must run npm install or similar command
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN
by senseibreathhovel · typescriptpoc
https://github.com/senseibreathhovel/yellowkey-bitlocker-911

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows systems
No auth needed
Prerequisites: victim to run npm install or similar command
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN
by CeilingSector · typescriptpoc
https://github.com/CeilingSector/yellowkey-bitlocker-875

The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts an executable, and runs it. The README describes a BitLocker bypass tool but lacks technical details about CVE-2026-45585.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN
by Nucleusiloot · typescriptpoc
https://github.com/Nucleusiloot/yellowkey-bitlocker-471

The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts an executable, and runs it. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN
by SkySmokeMoat · typescriptpoc
https://github.com/SkySmokeMoat/yellowkey-bitlocker-644

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN
by Supremeirrevere · typescriptpoc
https://github.com/Supremeirrevere/yellowkey-bitlocker-537

The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts it, and executes an embedded .exe. This is a trojan disguised as a BitLocker bypass tool.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows systems
No auth needed
Prerequisites: victim runs npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN
by WellElementalist · typescriptpoc
https://github.com/WellElementalist/yellowkey-bitlocker-313

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: N/A
No auth needed
Prerequisites: victim to run npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
github TROJAN
by Speedithrust · typescriptpoc
https://github.com/Speedithrust/yellowkey-bitlocker-364

The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows systems with BitLocker
No auth needed
Prerequisites: physical access to the target system · execution of npm install
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
nomisec SUSPICIOUS
by ChanderManiPandey2022 · poc
https://github.com/ChanderManiPandey2022/Yellow-Key-Check

The repository contains no actual exploit code, only a link to an external download (GitHub releases). This is a common tactic used to lure researchers into downloading potentially malicious files.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
Prerequisites: none
mistral-large-3 · analyzed Jun 05, 2026 Full analysis →
github WRITEUP
by 0xBlackash · powershellpoc
https://github.com/0xBlackash/CVE-2026-45585

This repository provides a PowerShell script and detailed documentation for mitigating CVE-2026-45585 (YellowKey), a zero-day physical attack vulnerability in Windows 11 that bypasses BitLocker encryption. The script applies two key mitigations: removing autofstx.exe from WinRE and enforcing TPM+PIN protection.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Windows 11 BitLocker
No auth needed
Prerequisites: physical access to the target device · Windows 11 with BitLocker enabled
mistral-large-3 · analyzed May 31, 2026 Full analysis →
nomisec WORKING POC
by andrei-majer · poc
https://github.com/andrei-majer/bitlocker-hardening

This repository contains a PowerShell script that mitigates CVE-2026-45585 (YellowKey) by adding a TPM+PIN protector to BitLocker-protected drives, preventing the WinRE bypass attack. The script automates the process of setting Group Policy keys, applying them, and adding the TPM+PIN protector.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: BitLocker on Windows 11 (24H2 or later) and Windows Server 2022/2025
Auth required
Prerequisites: Administrator privileges · BitLocker enabled on the target drive · Physical access to the machine
mistral-large-3 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC
by everest90909 · poc
https://github.com/everest90909/YellowKey-WinRE-Remediation

This repository contains functional PowerShell scripts for detecting and remediating CVE-2026-45585, a vulnerability involving the presence of 'autofstx.exe' in the WinRE BootExecute registry value, which could bypass BitLocker protections. The scripts mount the WinRE image, inspect/modify the offline SYSTEM hive, and ensure proper cleanup.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Windows Recovery Environment (WinRE) with BitLocker
Auth required
Prerequisites: Local administrator/SYSTEM privileges · 64-bit PowerShell · Access to reagentc.exe and reg.exe
mistral-large-3 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by bjbakker1984 · poc
https://github.com/bjbakker1984/Yellowkey-mitigation

This repository contains a PowerShell script that automates the mitigation for CVE-2026-45585 by removing 'autofstx.exe' from the BootExecute registry value in the WinRE (Windows Recovery Environment) hive. The script includes verification steps and only commits changes if modifications are necessary.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Recovery Environment (WinRE)
Auth required
Prerequisites: Administrator privileges · Windows system with WinRE enabled
mistral-large-3 · analyzed May 20, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory patch
Windows BitLocker Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585

Scores

CVSS v3 6.8
EPSS 0.0125
EPSS Percentile 65.8%
Attack Vector PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (14)
Microsoft/Windows 11 Version 24H2 -
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8655
Microsoft/Windows 11 Version 25H2 -
Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8655
Microsoft/Windows 11 version 26H1 -
Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.2269
Microsoft/Windows Server 2025 -
Microsoft/Windows Server 2025 10.0.26100.0 - 10.0.26100.32995
Microsoft/Windows Server 2025 (Server Core installation) -
Microsoft/Windows Server 2025 (Server Core installation) 10.0.26100.0 - 10.0.26100.32995
... and 4 more
Published May 20, 2026
Tracked Since May 20, 2026