Microsoft issues mitigation for critical Windows 11 BitLocker flaw exploited with a USB key — "Can't come up with an explanation beside the fact that this was intentional."

Windows 11 desktop showing group policy editor and command prompt. The editor highlights a setting, while command prompt displays a successful encryption command. — (Image credit: Mauro Huculak)

"Just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not," explained security researcher Chaotic Eclipse (better known as Nightmare-Eclipse) after they managed to bypass Windows 11's sophisticated BitLocker security feature using a USB stick.

The security sleuth posted the zero-day exploit known as YellowKey, which essentially enabled them to access a locked file. As explained by our friends over at Tom's Hardware:

"The process is dead simple: grab any USB stick, get write access to the "System Volume Information," and copy into it the "FsTx" folder and its contents. Shift+click Restart to get Windows to the recovery environment, but then switch to holding down the Control key and don't let go. The machine will reboot, and without asking any questions or showing any menus, will drop you in an elevated command line with full access to the formerly Bitlocked drive, without asking for any keys."

Eclipse indicated that they "could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft." Earlier this week, the tech giant indicated that it is tracking the YellowKey zero-day exploit under CVE-2026-45585 and shared mitigation measures to prevent the zero-day exploit from gaining unauthorized access to protected drives (via Bleeping Computer).

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices.
Microsoft

The company says the mitigation measures it provides can be implemented as a safeguard against the vulnerability until it releases a security update for the issue. The process will involve removing the autofstx.exe entry from the Session Manager's BootExecute REG_MULTI_SZ value.

Consequently, you’ll need to restore BitLocker’s trust in WinRE by following the procedure outlined under Mitigations. In the meantime, Microsoft recommends changing BitLocker’s configuration on encrypted devices from TPM-only mode to TPM+PIN mode using PowerShell, the command line, or the Control Panel. This adjustment requires a pre-boot PIN to decrypt the drive at startup and is expected to block YellowKey attacks.

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.

Kevin Okemwa is a seasoned tech journalist based in Nairobi, Kenya with lots of experience covering the latest trends and developments in the industry at Windows Central. With a passion for innovation and a keen eye for detail, he has written for leading publications such as OnMSFT, MakeUseOf, and Windows Report, providing insightful analysis and breaking news on everything revolving around the Microsoft ecosystem. While AFK and not busy following the ever-emerging trends in tech, you can find him exploring the world or listening to music.