3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Microsoft this week issued an interim mitigation for "YellowKey" BitLocker bypass flaw. However there may be plenty going on behind the scenes.
Earlier this month we had reported on a recently disclosed Windows security vulnerability that can let attackers bypass BitLocker. Tracked under the ID "CVE-2026-45585," the researcher who found it released a proof-of-concept (PoC) exploit for it known as “YellowKey." Essentially a hacker can use a USB stick to get around BitLocker as a result of this vulnerability in the WinRE (Windows Recovery Environment) with the help of an "FsTx" folder. You can read about it in some detail in our dedicated piece here.
Nightmare-Eclipse, who uncovered it also recently published details on a new vulnerability called "MiniPlasma" that lets threat actors plant malicious Registry mods.
Following the widespread reports on YellowKey, Microsoft this week published its own mitigation guidance for it after acknowledging it. In its advisory, the tech giant has shared a script that will act as an "interim security fix" to reduce the potential attack surface and is recommending it to those who are concerned about their devices and data being stolen, like organisations’ employees who take their work devices home or on business travel.
About the mitigation Microsoft explains: "The script is for WinRE and removes autofstx.exe from the BootExecute registry value. Since BootExecute runs programs very early in boot (even in recovery mode), removing this entry prevents that executable from running in a high‑privilege environment, reducing risk. ... It works by mounting the WinRE image, editing its offline SYSTEM registry to remove the entry if present, then safely committing changes and re‑sealing WinRE so BitLocker trust remains intact. ... It’s designed to be safe—if the autofstx.exe entry isn’t there, it exits without making changes."
While that is great news, Microsoft is also seemingly quite annoyed and irked at Nightmare-Eclipse as it says that "the proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices."
The researcher too isn't happy about this response as they said the following on their blog: "Dear Microsoft, Regarding CVE-2026-45585, ... Saying that I violated CVD best practices is a defamation of my personal reputation, you already told me you will defaming me and doing it in public will not help dissolve this conflict. ... You intentionally revoked my access to my MSRC account that I used to report vulnerabilities to you, when I asked you, you went ahead and completely wiped the account from existance despite multiple attempts from asking for an explanation. All of those requests went unanswered by the MSRC leadership. ... I'm taking your statement very personally."
Therefore Nightmare-Eclipse has essentially put the blame back on Microsoft alleging that it's the company's fault from the start. It will be interesting to see how things go from here.
Hope you enjoyed this news post. Feedback welcome.
Posted Saturday 23 May 2026 at 8:17 am AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700
- Mutton and markjeff123
-
2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.