YellowKey BitLocker Bypass CVE-2026-45585: A USB Drive Is All It Takes to Unlock Your Encrypted Data

Microsoft has issued emergency mitigation guidance for CVE-2026-45585, a zero-day BitLocker bypass dubbed "YellowKey" that was publicly disclosed last week by a researcher operating under the alias Nightmare Eclipse. The exploit requires nothing more than a USB drive and physical access — no credentials, no network, no TPM extraction — to unlock a fully encrypted Windows volume in under two minutes.

How YellowKey Defeats BitLocker Encryption

YellowKey targets a behavioral trust assumption buried deep in the Windows Recovery Environment (WinRE). When a machine boots into recovery mode, BitLocker temporarily unlocks the protected volume so that WinRE can perform repair operations. The exploit leverages specially crafted FsTx files — Transactional NTFS artifacts — stored on a USB drive to trigger a replay sequence that deletes winpeshl.ini, the configuration file that controls which shell or recovery process WinRE launches. With that file removed, the system drops into an unrestricted command prompt while the BitLocker-protected volume is already mounted and accessible.

The elegance of the attack is what makes it dangerous. There is no brute-forcing of recovery keys. There is no extraction of TPM secrets. The attacker simply reboots the target machine, forces it into recovery mode, and lets the Transactional NTFS replay do the rest. The proof-of-concept code is publicly available on GitHub, which means the barrier to exploitation is effectively zero for anyone with physical proximity to a target device.

Affected Systems and CVSS Assessment

CVE-2026-45585 carries a CVSS score of 6.8, reflecting the physical access requirement. Affected platforms include Windows 11 versions 24H2, 25H2, and 26H1 for x64-based systems, as well as Windows Server 2025 and Windows Server Core installations. Any device running these versions with BitLocker configured in the default TPM-only protector mode is vulnerable. Laptops, workstations in open-plan offices, devices in branch locations, and any hardware that travels between sites are at highest risk.

The researcher disclosed the vulnerability publicly after what they described as months of unresponsive handling through Microsoft's bug bounty program. Microsoft has not yet released a patch; instead, the company published a mitigation advisory recommending configuration changes to neutralize the attack vector.

Why This Matters for Saudi Financial Institutions

Full-disk encryption is a foundational control across every major compliance framework that governs Saudi financial services. SAMA's Cyber Security Framework (CSCC) mandates encryption of data at rest on endpoints, particularly for devices that handle customer financial data or connect to core banking systems. NCA's Essential Cybersecurity Controls (ECC) similarly require cryptographic protection of stored data on all information assets. The Personal Data Protection Law (PDPL) imposes obligations to protect personal data through appropriate technical measures, with encryption being the most commonly cited implementation.

YellowKey fundamentally undermines these controls for any institution relying on BitLocker with default TPM-only configuration. A stolen laptop from a branch office, a device intercepted during courier transit, or even brief unsupervised physical access during maintenance — any of these scenarios gives an attacker a clear path to the encrypted data. For institutions that have certified their compliance posture based on BitLocker deployment, this vulnerability creates an immediate gap between documented controls and actual protection.

Microsoft's Recommended Mitigations

In the absence of a patch, Microsoft recommends switching BitLocker from TPM-only mode to TPM+PIN mode. This requires users to enter a numeric PIN at every boot before the volume is decrypted, which means the volume stays locked even if an attacker manipulates the WinRE boot sequence. The configuration change can be enforced via Group Policy (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup) or through PowerShell using Add-BitLockerKeyProtector with the -TPMandPINProtector parameter.

Microsoft also recommends updating the Windows Recovery Environment image to the latest version and restricting boot order via UEFI/BIOS settings to prevent USB-first boot sequences. However, boot order restrictions alone are insufficient — an attacker with physical access can often reset BIOS settings or use alternative boot methods.

Practical Remediation Steps for Security Teams

1. Audit BitLocker protector types across the fleet. Run manage-bde -protectors -get C: on a representative sample or use SCCM/Intune compliance reports to identify every endpoint still using TPM-only mode. Prioritize devices assigned to executives, relationship managers, and anyone who handles regulated data outside secured premises.
2. Enforce TPM+PIN via Group Policy or Intune. Deploy the policy change in waves, starting with the highest-risk device populations. Communicate the change to end users in advance — a mandatory boot PIN is a noticeable workflow change, and a lack of user awareness will generate helpdesk volume.
3. Restrict USB boot at the firmware level. Configure UEFI Secure Boot policies to prevent booting from removable media. Set a BIOS/UEFI supervisor password on every managed device to prevent attackers from reverting the setting.
4. Patch WinRE as soon as Microsoft releases a fix. WinRE updates are not always delivered through standard Windows Update channels. Confirm your patching toolchain covers WinRE image updates, and test the process before the patch drops.
5. Harden physical access controls. Re-evaluate physical security for branch offices, data centers, and executive devices. Devices left in hotel rooms, conference halls, or shared workspaces are the primary attack surface for YellowKey.
6. Update your risk register. Document CVE-2026-45585 as an active risk against your encryption controls. Map it to the relevant SAMA CSCC domains (Cryptography, Asset Management, Physical Security) and NCA ECC controls. Track remediation progress through your GRC platform.

The Bigger Picture: Encryption Is Not a Checkbox

YellowKey is a reminder that encryption efficacy depends on implementation details, not just deployment status. An auditor checking whether BitLocker is enabled will see a compliant endpoint. An attacker with a USB drive will see an unlocked volume. The gap between these two perspectives is where real risk lives. Organizations that treat encryption as a compliance checkbox — enabled, documented, forgotten — are the ones most exposed when vulnerabilities like this surface.

This is also a case study in the consequences of vulnerability disclosure friction. The researcher released the exploit publicly because they felt the standard disclosure process had failed. Whether or not that decision was justified, the outcome is the same: a working exploit is in the wild with no patch available. Security teams cannot control how researchers choose to disclose, but they can control how quickly they respond when disclosure happens.

Conclusion

CVE-2026-45585 is not a remote code execution chain or a network-exploitable critical. Its CVSS score is moderate. But for any organization where a lost or stolen device represents a data breach — and in Saudi financial services, that is every organization — YellowKey demands immediate attention. The fix is straightforward: enforce TPM+PIN, restrict USB boot, and monitor for the eventual patch. The risk of inaction is a fully encrypted laptop that is not actually protected.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and endpoint security review to identify gaps like CVE-2026-45585 before they become incidents.