The vulnerability CVE-2026-45585 (CVSS 6.8) is a BitLocker bypass where an attacker with physical access can boot a target machine into the Windows Recovery Environment (WinRE) with a crafted USB drive containing malicious FsTx log files; when replayed, these logs cause WinRE to drop to a SYSTEM command shell with the encrypted BitLocker volume fully mounted and accessible. Affected versions include Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. Microsoft has released mitigations as of May 20, and the primary workaround is to switch from TPM-only authentication to TPM+PIN protection.
Table of Contents Table of Contents ZeroDay Brief - This article is part of a series. Part 7: This Article CVE-2026-45585 — BitLocker Bypassed by a USB Stick # You turn on BitLocker. Your drive is encrypted. Nobody can touch your data without your password. That’s the promise. Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) showed up with a USB drive, rebooted a BitLocker-protected machine into Windows Recovery, held CTRL, and got a SYSTEM shell with full access to the encrypted volume. No password. No TPM bypass. No exploit code. Just a maintenance request the OS processed exactly as designed. The Vulnerability # YellowKey exploits the Windows Recovery Environment’s Transactional NTFS replay mechanism. The attacker places crafted FsTx recovery log files on a USB drive, plugs it into the target, and reboots into WinRE. Holding CTRL during boot, WinRE’s autofstx.exe faithfully replays the FsTx logs — one of which deletes winpeshl.ini , the file that tells WinRE to show the recovery UI. Without it, instead of a recovery menu, you get a SYSTEM command shell with the BitLocker volume fully mounted and readable. No encryption was cracked. The encryption is intact. The keys are intact. The TPM is intact. The OS voluntarily unlocked the drive because it believed it was performing legitimate recovery operations. This isn’t a code bug — it’s an architectural tension in every full-disk encryption system: recovery requires access, and access requires decryption. Why It Matters # BitLocker with TPM-only protector was the default because it’s invisible to the user. But TPM measures boot integrity, not user identity. Physical access means you ARE the legitimate boot process. YellowKey made this tradeoff embarrassingly concrete. Microsoft released mitigations on May 20. The fix is switching from TPM-only to TPM+PIN — a secret the attacker doesn’t have. But the structural question remains: how many recovery paths in our infrastructure are just skeleton keys waiting for someone to learn the language? Affected: Windows 11 24H2, 25H2, 26H1, Windows Server 2025. Watch & Listen # Part of the ZeroDay Brief series — cyber intelligence for the professional who patches before the news breaks. ZeroDay Brief - This article is part of a series. Part 7: This Article