Microsoft Issues YellowKey Mitigation, No Patch Yet

The YellowKey flaw, tracked as CVE‑2026‑45585, targets the FsTx Auto Recovery Utility (autofstx.exe) that runs automatically in the Windows Recovery Environment (WinRE). By placing a specially crafted FsTx file on a USB stick or directly in the EFI partition, an attacker with physical access can trigger a shell with unrestricted privileges, effectively bypassing BitLocker encryption. Although the CVSS score is a moderate 6.8 due to the need for hands‑on access, the attack nullifies the very purpose of BitLocker—protecting data when devices are lost or stolen.

Microsoft’s response stops short of a full patch; instead, it provides a manual mitigation that requires administrators to mount the WinRE image, edit the Session Manager’s BootExecute registry value, and remove the autofstx.exe entry. The guidance also urges a shift from TPM‑only to TPM + PIN authentication, ensuring that the drive will not decrypt without a user‑entered PIN at boot. Implementing these changes at scale can be complex, especially for large enterprises that must script WinRE modifications and push policy updates via Intune or Group Policy.

For organizations, the practical impact is twofold: first, the need to act quickly to prevent a low‑effort physical attack on high‑value assets; second, the reminder that data‑at‑rest protections must be complemented by robust physical security and multi‑factor authentication. While the vulnerability’s reliance on physical access limits its prevalence, stolen laptops and unattended workstations remain prime targets. Enterprises should prioritize the TPM + PIN configuration, audit WinRE integrity, and incorporate the manual steps into their regular patch‑management cadence to maintain BitLocker’s effectiveness against evolving threats.