CVE-2026-45585

MEDIUM

Microsoft Windows 11 Version 24H2 - Windows BitLocker Security Feature Bypass Vulnerability

Title source: rule

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-45585. PoCs published by Nightmare-Eclipse, Mclisterjoeh2o, andrei-majer.

AI-analyzed exploit summary This repository describes a BitLocker bypass vulnerability in Windows 11 and Server 2022/2025 via a crafted FsTx folder placed in the System Volume Information directory. The exploit leverages a component in the Windows Recovery Environment (WinRE) to spawn an unrestricted shell, bypassing BitLocker encryption.

Description

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.

Exploits (5)

github WORKING POC 3,663 stars

by Nightmare-Eclipse · pocgithub

https://github.com/Nightmare-Eclipse/YellowKey

View Code ZIP pw:eip

This repository describes a BitLocker bypass vulnerability in Windows 11 and Server 2022/2025 via a crafted FsTx folder placed in the System Volume Information directory. The exploit leverages a component in the Windows Recovery Environment (WinRE) to spawn an unrestricted shell, bypassing BitLocker encryption.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Windows 11, Windows Server 2022/2025

No auth needed

Prerequisites: USB stick with NTFS/FAT32/exFAT filesystem · Access to target machine's boot process · Windows Recovery Environment (WinRE) access

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 20, 2026 Full analysis →

github SUSPICIOUS 29 stars

by Mclisterjoeh2o · typescriptpoc

https://github.com/Mclisterjoeh2o/yellowkey-bitlocker

View Code ZIP pw:eip

The repository claims to be a BitLocker bypass tool but contains no actual exploit code. It directs users to download an external ZIP file, which is a common tactic for distributing malware or fake exploits.

Classification

Suspicious 90%

Attack Type

Auth Bypass

Complexity

Theoretical

Reliability

Theoretical

Target: BitLocker (Windows 10/11)

No auth needed

Prerequisites: physical access · bootable USB

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 23, 2026 Full analysis →

nomisec WORKING POC

by andrei-majer · poc

https://github.com/andrei-majer/bitlocker-hardening

View Code ZIP pw:eip

This repository contains a PowerShell script that mitigates CVE-2026-45585 (YellowKey) by adding a TPM+PIN protector to BitLocker-protected drives, preventing the WinRE bypass attack. The script automates the process of setting Group Policy keys, applying them, and adding the TPM+PIN protector.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: BitLocker on Windows 11 (24H2 or later) and Windows Server 2022/2025

Auth required

Prerequisites: Administrator privileges · BitLocker enabled on the target drive · Physical access to the machine

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 24, 2026 Full analysis →

nomisec WORKING POC

by everest90909 · poc

https://github.com/everest90909/YellowKey-WinRE-Remediation

View Code ZIP pw:eip

This repository contains functional PowerShell scripts for detecting and remediating CVE-2026-45585, a vulnerability involving the presence of 'autofstx.exe' in the WinRE BootExecute registry value, which could bypass BitLocker protections. The scripts mount the WinRE image, inspect/modify the offline SYSTEM hive, and ensure proper cleanup.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Windows Recovery Environment (WinRE) with BitLocker

Auth required

Prerequisites: Local administrator/SYSTEM privileges · 64-bit PowerShell · Access to reagentc.exe and reg.exe

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 22, 2026 Full analysis →

nomisec WORKING POC

by bjbakker1984 · poc

https://github.com/bjbakker1984/Yellowkey-mitigation

View Code ZIP pw:eip

This repository contains a PowerShell script that automates the mitigation for CVE-2026-45585 by removing 'autofstx.exe' from the BootExecute registry value in the WinRE (Windows Recovery Environment) hive. The script includes verification steps and only commits changes if modifications are necessary.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Recovery Environment (WinRE)

Auth required

Prerequisites: Administrator privileges · Windows system with WinRE enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 20, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory patch

Windows BitLocker Security Feature Bypass Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585

Various Sources

https://github.com/Nightmare-Eclipse/YellowKey

Scores

CVSS v3 6.8

EPSS 0.0011

EPSS Percentile 28.1%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (9)

Microsoft/Windows 11 Version 24H2 -

Microsoft/Windows 11 Version 25H2 -

Microsoft/Windows 11 version 26H1 -

Microsoft/Windows Server 2025 -

Microsoft/Windows Server 2025 (Server Core installation) -

microsoft/windows_11_24h2

microsoft/windows_11_25h2

microsoft/windows_11_26h1

microsoft/windows_server_2025

Published May 20, 2026

Tracked Since May 20, 2026