PoC Archive PoC Archive
Medium CVE-2026-45585 patched

YellowKey — BitLocker Bypass via WinRE autofstx.exe (CVE-2026-45585)

by Ashraf Zaryouh (0xBlackash) · 2026-06-26

CVSS 6.1/10
Severity
Medium
CVE
CVE-2026-45585
Category
misc
Affected product
Windows BitLocker / WinRE (autofstx.exe)
Affected versions
Windows 11 (all builds), Windows Server 2022/2025; Windows 10 not affected
Disclosed
2026-06-26
Patch status
patched

Metadata

FieldValue
Date Added2026-06-26
Last Updated2026-05-31
Author / ResearcherAshraf Zaryouh (0xBlackash)
CVE / AdvisoryCVE-2026-45585
Categorymisc
SeverityMedium
CVSS Score6.1 (estimated CVSSv3, AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
StatusResearched
TagsBitLocker, bypass, physical-access, WinRE, TPM, autofstx, NTFS-transactions, FsTx, Windows-11, Windows-Server-2022, zero-day, full-disk-access
RelatedN/A

Affected Target

FieldValue
Software / SystemWindows BitLocker / WinRE (autofstx.exe)
Versions AffectedWindows 11 (all builds), Windows Server 2022/2025; Windows 10 not affected
Language / PlatformWindows (PowerShell for mitigation)
Authentication RequiredNo
Network Access RequiredNo (physical access only)

Summary

CVE-2026-45585 (YellowKey) is a zero-day physical-access vulnerability discovered in May 2026 that allows an attacker with physical access to a Windows 11 device to fully bypass BitLocker disk encryption without the PIN, password, or recovery key. The attacker boots the device into the Windows Recovery Environment (WinRE), uses a crafted USB containing NTFS transaction logs (FsTx), and exploits autofstx.exe registered in the BootExecute key to obtain an elevated command prompt. Since BitLocker is automatically unlocked by TPM during WinRE boot without requiring user authentication, the attacker gains full access to the encrypted drive. This repository contains a mitigation/hardening script; no weaponized exploit code is included.


Vulnerability Details

Root Cause

Windows 11’s WinRE environment boots with TPM-based automatic BitLocker unlock (no PIN prompt by default) and executes binaries registered in HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute. The autofstx.exe binary, when present in that key, can be abused via a crafted NTFS filesystem transaction log (FsTx) supplied from an attacker-controlled USB to trigger an elevated command prompt within WinRE — before any user authentication occurs.

Attack Vector

  1. Attacker obtains physical access to a target Windows 11 device.
  2. Boots the device into WinRE (Windows Recovery Environment) using the USB or boot menu.
  3. Supplies a crafted USB with NTFS transaction logs (FsTx) targeting autofstx.exe.
  4. autofstx.exe is triggered via the BootExecute registry key, yielding an elevated command prompt.
  5. TPM has already auto-unlocked BitLocker for the WinRE session — full filesystem access obtained without any credential.

Impact

Complete BitLocker bypass with full read/write access to the encrypted drive. An attacker can exfiltrate data, plant malware, or modify system files on any unattended Windows 11 device without knowing the PIN, password, or recovery key.


Environment / Lab Setup

Target:   Windows 11 device with BitLocker enabled (TPM-only protector)
Attacker: Physical access, USB drive with crafted FsTx payload
Tools:    WinRE boot, autofstx.exe exploit chain (not published in this repo)

Proof of Concept

No weaponized exploit code is published in the source repository. The attack chain has been documented by the researcher and the mitigation script confirms the attack vector (BootExecute + autofstx.exe + WinRE TPM auto-unlock).

Mitigation / Detection Script

See Mitigate-YellowKey.ps1 in this folder. Run as Administrator on Windows 11.

1
2
3
4
5
.\Mitigate-YellowKey.ps1

.\Mitigate-YellowKey.ps1 -SkipTPMPIN

.\Mitigate-YellowKey.ps1 -Drive "C:" -SkipWinRE

Expected Output (post-mitigation)

YellowKey Mitigation Tool (CVE-2026-45585)
========================================
[1/2] Applying WinRE Mitigation (remove autofstx.exe)...
[+] autofstx.exe removed from BootExecute.
[2/2] Enforcing TPM+PIN on BitLocker drives...
[+] PIN protector added to C:
[✓] Mitigation complete. Reboot required.

Screenshots / Evidence


Detection & Indicators of Compromise

1
2
3
4
5
6
$be = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager").BootExecute
$be | Where-Object { $_ -match "autofstx" }

manage-bde -protectors -get C:

reagentc /info

Signs of compromise:

  • Unexpected access to encrypted files without credentials
  • WinRE boot entries in logs not initiated by the owner
  • autofstx.exe present in BootExecute on systems where it should not be

Remediation

ActionDetail
Primary fixRemove autofstx.exe from WinRE BootExecute registry key (see Mitigate-YellowKey.ps1 -SkipTPMPIN)
Secondary fixAdd TPM+PIN protector to all BitLocker-protected drives (see Mitigate-YellowKey.ps1 -SkipWinRE)
Physical hardeningEnable Secure Boot; restrict physical access; set BIOS/UEFI password; disable USB boot
PatchApply Microsoft security update for CVE-2026-45585 when released
Verifymanage-bde -status and reagentc /info to confirm mitigation applied

References


Notes

Auto-ingested from https://github.com/0xBlackash/CVE-2026-45585 on 2026-06-26. Ingested via issue #121.

No weaponized exploit code is published. The repository contains only the mitigation script (Mitigate-YellowKey.ps1). The attack chain description is based on the researcher’s README documentation. Status set to Researched accordingly.

CVSS score is an estimate based on the documented attack vector (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N = 6.1); official MSRC score may differ.

Mitigate-YellowKey.ps1
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#Requires -RunAsAdministrator
# =============================================
# YellowKey Mitigation Script (CVE-2026-45585)
# Combines WinRE fix + TPM+PIN enforcement
# Author : Ashraf Zaryouh / @0xBlackash
# =============================================

param(
    [string]$Drive = "",          # Optional: e.g. "C:"
    [switch]$SkipWinRE = $false,  # Use if you only want TPM+PIN
    [switch]$SkipTPMPIN = $false  # Use if you only want WinRE fix
)

$ErrorActionPreference = "Stop"
$Host.UI.RawUI.WindowTitle = "YellowKey Mitigation Tool"

Write-Host "YellowKey Mitigation Tool (CVE-2026-45585)" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan

# --- Windows Version Check ---
$build = [System.Environment]::OSVersion.Version.Build
if ($build -lt 22000) {
    Write-Host "Windows 10 detected — not affected by YellowKey." -ForegroundColor Green
    exit 0
}

# ======================
# 1. WinRE Mitigation (Primary Fix)
# ======================
if (-not $SkipWinRE) {
    Write-Host "`n[1/2] Applying WinRE Mitigation (remove autofstx.exe)..." -ForegroundColor Yellow

    $MountPath = "C:\WinRE_Mount"
    $WinREPath = "$MountPath\Windows\System32\Recovery\WinRE.wim"

    try {
        # Create mount directory if needed
        if (-not (Test-Path $MountPath)) {
            New-Item -Path $MountPath -ItemType Directory -Force | Out-Null
        }

        # Disable and re-enable WinRE to get clean state
        reagentc /disable | Out-Null
        reagentc /enable | Out-Null

        # Mount WinRE
        Write-Host "Mounting WinRE image..." -ForegroundColor Gray
        reagentc /mountre /path $MountPath /target $env:SystemDrive | Out-Null

        # Load offline SYSTEM hive
        $HivePath = "$MountPath\Windows\System32\config\SYSTEM"
        reg load HKLM\WinRE_Hive $HivePath | Out-Null

        # Modify BootExecute
        $keyPath = "HKLM:\WinRE_Hive\ControlSet001\Control\Session Manager"
        $value = Get-ItemProperty -Path $keyPath -Name "BootExecute" -ErrorAction SilentlyContinue

        if ($value) {
            $bootExecute = $value.BootExecute
            $newBootExecute = $bootExecute | Where-Object { $_ -notlike "*autofstx.exe*" }

            if ($newBootExecute.Count -ne $bootExecute.Count) {
                Set-ItemProperty -Path $keyPath -Name "BootExecute" -Value $newBootExecute -Type MultiString -Force
                Write-Host "Successfully removed autofstx.exe from BootExecute" -ForegroundColor Green
            } else {
                Write-Host "autofstx.exe was not present — already mitigated" -ForegroundColor Green
            }
        }

        # Unload hive
        [GC]::Collect()
        reg unload HKLM\WinRE_Hive | Out-Null

        # Commit changes
        reagentc /unmountre /commit | Out-Null
        Write-Host "WinRE mitigation applied successfully." -ForegroundColor Green

    } catch {
        Write-Host "WinRE mitigation failed: $($_.Exception.Message)" -ForegroundColor Red
        Write-Host "You may need to run this manually or check WinRE status." -ForegroundColor Yellow
    }
}

# ======================
# 2. TPM + PIN Mitigation
# ======================
if (-not $SkipTPMPIN) {
    Write-Host "`n[2/2] Applying TPM+PIN BitLocker Protection..." -ForegroundColor Yellow

    # Set Group Policy keys
    $fvePath = "HKLM:\SOFTWARE\Policies\Microsoft\FVE"
    if (-not (Test-Path $fvePath)) { New-Item -Path $fvePath -Force | Out-Null }

    Set-ItemProperty -Path $fvePath -Name "UseAdvancedStartup" -Value 1 -Type DWord -Force
    Set-ItemProperty -Path $fvePath -Name "UseTPMPIN" -Value 2 -Type DWord -Force
    Set-ItemProperty -Path $fvePath -Name "UseTPM" -Value 2 -Type DWord -Force
    Set-ItemProperty -Path $fvePath -Name "UseEnhancedPin" -Value 1 -Type DWord -Force

    gpupdate /force | Out-Null

    # Process drives
    if ($Drive) {
        $volumes = Get-BitLockerVolume -MountPoint $Drive.TrimEnd(':') -ErrorAction SilentlyContinue
    } else {
        $volumes = Get-BitLockerVolume | Where-Object { $_.ProtectionStatus -eq "On" }
    }

    foreach ($vol in $volumes) {
        $mp = $vol.MountPoint
        Write-Host "`nProcessing drive: $mp" -ForegroundColor White

        $hasTPM = $vol.KeyProtector | Where-Object { $_.KeyProtectorType -match "Tpm" }
        if (-not $hasTPM) {
            Write-Host "  No TPM protector found. Skipping." -ForegroundColor Yellow
            continue
        }

        $hasTPMPIN = $vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "TpmPin" }
        if ($hasTPMPIN) {
            Write-Host "  Already has TPM+PIN protector." -ForegroundColor Green
            continue
        }

        Write-Host "  Adding TPM+PIN protector..." -ForegroundColor Cyan
        try {
            manage-bde -protectors -add $mp -TPMAndPIN
            Write-Host "  TPM+PIN added successfully!" -ForegroundColor Green

            # Optional: Remove old TPM-only
            $tpmOnly = $vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "Tpm" }
            if ($tpmOnly) {
                $confirm = Read-Host "  Remove old TPM-only protector? (y/N)"
                if ($confirm -eq 'y') {
                    manage-bde -protectors -delete $mp -id $tpmOnly.KeyProtectorId
                    Write-Host "  TPM-only protector removed." -ForegroundColor Green
                }
            }
        } catch {
            Write-Host "  Failed to add TPM+PIN: $($_.Exception.Message)" -ForegroundColor Red
        }
    }
}

Write-Host "`nMitigation process completed!" -ForegroundColor Green
Write-Host "Recommended: Reboot and test BitLocker + Recovery Environment." -ForegroundColor Gray