// Alert

Microsoft 365 threat report

Microsoft has disclosed CVE-2026-45585, a BitLocker security feature bypass nicknamed YellowKey that affects Windows 11, Windows Server 2022 and Windows Server 2025. The flaw resides in the Windows Recovery Environment, where a malicious autofstx.exe entry in the BootExecute registry value allows an attacker with physical access to circumvent BitLocker full-disk encryption without user credentials or recovery keys. A proof-of-concept exploit was published on May 19, 2026 by researcher Nightmare-Eclipse and has been independently confirmed to work, and Microsoft rates exploitation as more likely though no in-the-wild abuse has been reported. No official patch is available yet; Microsoft has issued manual mitigations involving removing the vulnerable entry from the mounted WinRE image and re-establishing BitLocker trust, or alternatively adding a TPM+PIN protector. Administrators of Windows 11 and Server 2022/2025 endpoints, especially mobile or easily-stolen devices, should apply the WinRE remediation and enforce TPM+PIN ahead of a formal fix.

// Get alerts for Microsoft 365