Microsoft is working on a patch for ‘YellowKey’ attack on Bitlocker, offers temporary fix

Microsoft says it is considering a patch for a zero-day vulnerability, dubbed YellowKey, that allows attackers with access to a Windows device to bypass Bitlocker encryption protection and read and write files. The flaw was disclosed last week, and there is already a public proof of concept available.

The company issued an advisory Tuesday saying that companies should act to mitigate the issue, tracked as CVE-2026-45585, while it examines the possibility of a patch. In its advisory, it provided the immediate steps that companies should take. A key defense against possible attack is to limit access to vulnerable devices, as physical access is required for exploit.

“Organizations should start by auditing their environment for the conditions that exist that leave them vulnerable to YellowKey,” said Eric Grenier, senior director analyst at Gartner. “They should also have a clear understanding of their risk acceptance in the case of a lost/stolen device and, based on that acceptance (or non-acceptance), follow the steps such as customizing Secure Boot and ensuring firmware and Boot integrity.” .

 Karl Fosaaen, VP of research at cybersecurity company NetSPI, agreed. “Since this vulnerability requires physical access to exploit, organizations should be focusing on the physical security controls around their Windows devices,” he said. “Having strong policies and controls around physical access to devices is a good first step in helping protect the potentially vulnerable devices. If there are additional concerns about attackers being able to gain access to files on the system, organizations can look at limiting the data that they allow users to store locally.”

One of the issues facing companies is the proliferation of employees using mobile devices, which makes it harder for organizations to restrict access to them. “You’re increasingly seeing companies with corporate data on their laptops, and YellowKey can leave that data unlocked,” said Nathan Davies-Webb, principal consultant at UK-based security company Acumen. This is where tight device security policies come into play, such as prohibiting users from leaving devices unattended.

However, said Fosaaen, what makes detection of an attack particularly difficult for the individual user is that it is not immediately apparent that a device has been targeted. “If an attacker used the exploit to read files from the encrypted volume, there likely wouldn’t be any indicators to a user. If the attacker implanted malicious software, you might see increased system utilization, or other performance issues,” he noted.

To make things worse, it is also possible that Microsoft’s mitigation guidance may not be effective. In a post on a security site, researcher Will Dormann pointed out that there could be a way to override the company’s proposed solution. That being the case, IT managers will certainly be watching for a patch from Microsoft.

While Microsoft has announced that it is looking into such a patch, Davies-Webb doesn’t think a solution will be straightforward. “I would heavily speculate that this is something that is there by design,” he said. “Microsoft would be thinking ‘If I stop this happening, what would I be taking away?’ I strongly suspect that there is some functionality in Windows, maybe something in manufacturing, that could be affected by any patch.”

“Besides,” he added, “It could take some time for a patch to be released. The RedSun vulnerability [in Windows Defender] was identified last month and still hasn’t been patched.”