Microsoft has shared mitigations for YellowKey, a not too long ago disclosed Home windows BitLocker zero-day vulnerability that grants get right of entry to to secure drives.
The protection flaw was once disclosed closing week via an nameless safety researcher referred to as ‘Nightmare Eclipse,’ who described it as a backdoor and printed a proof-of-concept (PoC) exploit.
Nightmare Eclipse mentioned that exploiting this zero-day comes to striking specifically crafted ‘FsTx’ information on a USB power or EFI partition, rebooting into WinRE, after which triggering a shell with unrestricted get right of entry to to the BitLocker-protected garage quantity via keeping down the CTRL key.
Final month, in addition they disclosed the BlueHammer (CVE-2026-33825) and RedSun (no identifier) native privilege escalation (LPE) zero-day flaws, either one of which are actually being exploited in assaults.
The researcher additionally leaked GreenPlasma, a zero-day privilege-escalation safety factor that attackers can abuse to procure a SYSTEM shell, and UnDefend, any other zero-day that attackers with usual person permissions can exploit to dam Microsoft Defender definition updates.
Whilst the precise instances that brought on this spree of exploit leaks are nonetheless unclear, Nightmare Eclipse prior to now mentioned that those disclosures are in protest of ways Microsoft’s Safety Reaction Middle (MSRC) treated the disclosure procedure for different safety flaws they reported prior to now.
Microsoft stocks YellowKey mitigations
On Tuesday, Microsoft mentioned it’s now monitoring the YellowKey flaw below CVE-2026-45585 and shared mitigation measures to protect towards possible assaults exploiting it within the wild.
“Microsoft is conscious about a safety function bypass vulnerability in Home windows publicly known as “YellowKey”. The evidence of idea for this vulnerability has been made public violating coordinated vulnerability absolute best practices,” Microsoft mentioned in a Tuesday advisory.
“We’re issuing this CVE to supply mitigation steering that may be applied to offer protection to in contrast vulnerability till the safety replace is made to be had.”
To mitigate YellowKey assaults, Microsoft really useful disposing of the autofstx.exe access from the Consultation Supervisor’s BootExecute REG_MULTI_SZ price, then reestablishing BitLocker consider for WinRE via following the process detailed below “Mitigations” within the CVE-2026-33825 advisory.
“In particular, you save you the FsTx Auto Restoration Application, autofstx.exe, from routinely beginning when the WinRE symbol launches,” Will Dormann, predominant vulnerability analyst at Tharros, defined. “With this variation, the Transactional NTFS replaying that deletes winpeshl.ini now not occurs.”
Microsoft additionally steered shoppers to configure BitLocker on already encrypted gadgets from “TPM-only” mode to “TPM+PIN” mode by the use of PowerShell, the command line, or the keep watch over panel, which would require a pre-boot PIN to decrypt the power at startup and must block YellowKey assaults.
On gadgets that aren’t but encrypted, admins can allow the “Require further authentication at startup” possibility by the use of Microsoft Intune or Crew Insurance policies, whilst making sure that “Configure TPM startup PIN” is about to “Require startup PIN with TPM.”
Automatic pentesting gear ship actual price, however they have been constructed to reply to one query: can an attacker transfer in the course of the community? They weren’t constructed to check whether or not your controls block threats, your detection laws hearth, or your cloud configs dangle.
This information covers the 6 surfaces you if truth be told want to validate.
Obtain Now
