CVE-2026-45585
MEDIUMMicrosoft Windows 11 Version 24H2 - Windows BitLocker Security Feature Bypass Vulnerability
Title source: ruleExploitation Summary
EIP tracks 28 public exploits for CVE-2026-45585. PoCs published by Nightmare-Eclipse, Mclisterjoeh2o, iDesignStudioz.
AI-analyzed exploit summary This repository describes a BitLocker bypass vulnerability in Windows 11 and Server 2022/2025 via a crafted FsTx folder placed in the System Volume Information directory. The exploit leverages a component in the Windows Recovery Environment (WinRE) to spawn an unrestricted shell, bypassing BitLocker encryption.
Description
Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.
Exploits (28)
This repository describes a BitLocker bypass vulnerability in Windows 11 and Server 2022/2025 via a crafted FsTx folder placed in the System Volume Information directory. The exploit leverages a component in the Windows Recovery Environment (WinRE) to spawn an unrestricted shell, bypassing BitLocker encryption.
The repository claims to be a BitLocker bypass tool but contains no actual exploit code. It directs users to download an external ZIP file, which is a common tactic for distributing malware or fake exploits.
The repository contains a .NET application that distributes files to MetaTrader directories but lacks any exploit code or technical details about CVE-2026-45585. The README is vague and promotional, with no analysis of the vulnerability.
The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts an executable, and runs it. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for specific files, constructs a ZIP archive, extracts it, and executes an embedded executable. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for specific files, constructs a ZIP archive, extracts it, and executes an embedded executable. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts it, and executes an embedded .exe. This behavior is characteristic of a trojan rather than a legitimate exploit PoC.
This repository provides PowerShell scripts for detecting and remediating CVE-2026-45585, a BitLocker/WinRE bypass vulnerability. The scripts mount the Windows Recovery Environment (WinRE) image, inspect/modify the offline SYSTEM hive's BootExecute values to remove malicious 'autofstx.exe' entries, and refresh WinRE registration to restore BitLocker trust.
The repository claims to provide a BitLocker unlock tool but contains no exploit code. Instead, it includes a generic C# application for distributing files to MetaTrader directories and a JSON library, with a README pushing external downloads.
The repository contains only a single text file with no functional exploit code or technical details. It appears to be a placeholder or incomplete content related to a BitLocker bypass vulnerability.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts an executable, and runs it. The README describes a BitLocker bypass tool but lacks technical details about CVE-2026-45585.
The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts an executable, and runs it. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, assembles them into a ZIP, extracts it, and executes an embedded .exe. This is a trojan disguised as a BitLocker bypass tool.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains a malicious postinstall script that searches for .dat files, constructs a ZIP archive, extracts it, and executes an embedded .exe file. This behavior is indicative of a trojan rather than a legitimate exploit PoC.
The repository contains no actual exploit code, only a link to an external download (GitHub releases). This is a common tactic used to lure researchers into downloading potentially malicious files.
This repository provides a PowerShell script and detailed documentation for mitigating CVE-2026-45585 (YellowKey), a zero-day physical attack vulnerability in Windows 11 that bypasses BitLocker encryption. The script applies two key mitigations: removing autofstx.exe from WinRE and enforcing TPM+PIN protection.
This repository contains a PowerShell script that mitigates CVE-2026-45585 (YellowKey) by adding a TPM+PIN protector to BitLocker-protected drives, preventing the WinRE bypass attack. The script automates the process of setting Group Policy keys, applying them, and adding the TPM+PIN protector.
This repository contains functional PowerShell scripts for detecting and remediating CVE-2026-45585, a vulnerability involving the presence of 'autofstx.exe' in the WinRE BootExecute registry value, which could bypass BitLocker protections. The scripts mount the WinRE image, inspect/modify the offline SYSTEM hive, and ensure proper cleanup.
This repository contains a PowerShell script that automates the mitigation for CVE-2026-45585 by removing 'autofstx.exe' from the BootExecute registry value in the WinRE (Windows Recovery Environment) hive. The script includes verification steps and only commits changes if modifications are necessary.
References (2)
Scores
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H