- microsoft
- bitlocker
- cve
- windows
- winre
- physical-access
- bypass
news
YellowKey: WinRE BitLocker Security Bypass (CVE-2026-45585)
Nightmare-Eclipse PoC replays FsTx transactions in WinRE via USB/EFI staging — CTRL during recovery reboot spawns shell with BitLocker volume access; patched June 2026.
Summary
YellowKey is a physical-access BitLocker security feature bypass published by Nightmare-Eclipse before Microsoft assigned CVE-2026-45585 on May 19, 2026. The PoC abuses the FsTx Auto Recovery Utility (autofstx.exe) inside the Windows Recovery Environment (WinRE) image. By staging a crafted FsTx folder under System Volume Information\\FsTx on removable media or the EFI partition, an attacker with brief physical access can trigger transaction replay during WinRE boot that deletes winpeshl.ini and falls back to an elevated command shell with unrestricted access to the BitLocker-protected volume.
This is not a cryptographic break of BitLocker. Microsoft classifies it as a security feature bypass requiring physical access (CVSS 3.1 6.8, AV:P). Affected configurations include Windows 11 24H2/25H2/26H1 and Windows Server 2025; Windows 10 is not affected per researcher and vendor reporting. June 2026 Patch Tuesday shipped a full fix; interim mitigation removes autofstx.exe from WinRE BootExecute and re-seals WinRE trust.
The researcher notes suspicious parity: the triggering component exists in WinRE with bypass behavior but appears in normal Windows installs under the same name without that functionality — raising questions about intentional WinRE-only behavior. OFFSITE.DARK indexes the public PoC and vendor mitigation guidance only.
Technical Details
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-45585 |
| Component | WinRE — FsTx Auto Recovery Utility (autofstx.exe) |
| Attack vector | Physical access |
| Root cause | Transaction replay in System Volume Information\\FsTx during WinRE boot |
| Affected | Windows 11 (24H2+), Windows Server 2022/2025; not Windows 10 |
| Staging media | USB (NTFS/exFAT/FAT32) or internal EFI partition (disk pull/reseat) |
| Trigger | Shift+Restart → WinRE entry, then hold Ctrl after releasing Shift |
| Patch | June 2026 Patch Tuesday + WinRE image update |
Reproduction sequence (PoC author)
- Copy the repository
FsTxfolder toX:\\System Volume Information\\FsTxon attacker-controlled media (compatible Windows filesystem; EFI partition works without external USB). - Insert media or reseat disk on a BitLocker-enabled target.
- Reboot to WinRE via Shift + Restart (mouse click on Restart while holding Shift).
- After clicking Restart, release Shift and hold Ctrl continuously through recovery boot.
- If staging succeeded, WinRE spawns a shell with access to the encrypted OS volume.
Microsoft's interim mitigation mounts the offline WinRE image, edits the Session Manager\\BootExecute registry value to remove autofstx.exe, commits the hive, and re-establishes BitLocker trust for WinRE so sealing remains valid.
Trust-chain implications
| Layer | YellowKey effect |
|---|---|
| BitLocker encryption | Not broken — keys remain protected at rest |
| Pre-boot gate | Bypassed via WinRE recovery path, not PIN/TVM crypto failure |
| TPM-only mode | Vulnerable to physical WinRE abuse per Microsoft guidance |
| TPM+PIN mode | Microsoft states exploit is not exploitable when PIN required at every boot |
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-45585 |
| CVSS 3.1 | 6.8 Medium (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Type | Security Feature Bypass (BitLocker) |
| Public PoC | Yes — NVD lists GitHub/Project Nightcrawler reference |
| Patched | June 2026 Patch Tuesday |
Impact
- Offline data access on lost/stolen or briefly unattended BitLocker devices using TPM-only unlock.
- Forensic and theft scenarios — attacker needs physical access and WinRE boot window, not network exploitability.
- Enterprise fleet risk for laptops without TPM+PIN, especially travel/field devices.
- Cluster signal — fourth distinct Windows security surface targeted by the same researcher (Defender LPE ×3, BitLocker bypass, CTF LPE, Cloud Files regression).
Mitigation
- Apply June 2026 Patch Tuesday updates and verify WinRE image includes the fix.
- Run Microsoft's WinRE mitigation script (remove
autofstx.exefromBootExecute, re-seal WinRE) on high-risk endpoints before full patch rollout if needed. - Migrate sensitive devices from TPM-only to TPM+PIN BitLocker policy (Group Policy / Intune).
- Restrict physical access and enable firmware/BIOS boot passwords where operational policy allows.
- Monitor for unexpected WinRE boots and unauthorized
System Volume Information\\FsTxartifacts on attached storage.
Sources
- Project Nightcrawler — NightmareEclipse/YellowKey (primary PoC source)
- Church of Malware git — Nightmare_Eclipse/YellowKey (historical mirror)
- Microsoft MSRC — CVE-2026-45585
- NVD — CVE-2026-45585
- IT-Connect — YellowKey protection guidance
- Penligent — YellowKey trust-chain analysis
- OFFSITE.DARK — RoguePlanet cluster index