Back to Intelligence

CVE-2026-45585: YellowKey BitLocker Bypass — Mitigation, Detection, and Hardening Guide

SA
Security Arsenal Team
May 20, 2026
6 min read

Introduction

Microsoft has released a critical mitigation for CVE-2026-45585, publicly dubbed "YellowKey." This is a security feature bypass vulnerability affecting BitLocker, Windows' full-disk encryption solution. With a CVSS score of 6.8, this flaw allows an attacker with physical access to circumvent encryption protections, potentially exposing sensitive data on lost, stolen, or improperly decommissioned devices.

While Microsoft has labeled this a "bypass" rather than a direct cryptographic break, the operational risk is severe: an attacker can decrypt the drive without knowing the user's PIN or password. For defenders, this is not a theoretical risk—it requires immediate validation of the mitigation state and an audit of endpoint hardening controls.

Technical Analysis

  • CVE Identifier: CVE-2026-45585
  • Vulnerability Type: Security Feature Bypass
  • Affected Component: Windows BitLocker Drive Encryption
  • CVSS Score: 6.8 (Medium)
  • Affected Platforms: Windows 10, Windows 11, Windows Server (versions supporting BitLocker)

The Vulnerability Mechanism

The "YellowKey" vulnerability exploits a logic flaw in how BitLocker validates the integrity of the boot path or the Trusted Platform Module (TPM) authorization. Specifically, the flaw allows an attacker to manipulate the system state—likely via a direct memory access (DMA) attack or a pre-boot manipulation—to present a "valid" key to the system that does not actually belong to the current volume protector.

This bypass effectively neutralizes the assurance provided by the TPM. If an attacker gains physical access (e.g., "Evil Maid" attack scenario), they can utilize this flaw to decrypt the volume, rendering the encryption moot.

Exploitation Status

The vulnerability was publicly disclosed last week. Proof-of-concept (PoC) code is circulating in security research communities. While widespread in-the-wild exploitation has not been confirmed at the time of writing, the low barrier to entry for physical access attacks means the window to remediate is closing rapidly.

Detection & Response

Detecting a physical BitLocker bypass attempt is challenging because the attack occurs offline or at the firmware level before the OS fully loads. Therefore, detection must focus on auditing the configuration state (compliance) and identifying preparatory actions or tooling often used in conjunction with such bypasses.

The following rules hunt for suspicious manipulation of BitLocker protectors and the use of common forensic tools that might leverage this vulnerability.

YAML
---
title: Potential BitLocker Manipulation via Manage-BDE
id: 8a4b2c1d-9e3f-4a5b-8c7d-1e2f3a4b5c6d
status: experimental
description: Detects attempts to modify BitLocker protectors or suspend protection, often a precursor to key extraction or in preparation for physical attacks.
references:
  - https://support.microsoft.com/en-us/topic/k5030000
author: Security Arsenal
date: 2026/05/13
tags:
  - attack.impact
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\manage-bde.exe'
    CommandLine|contains:
      - '-off'
      - '-pause'
      - '-protectors -delete'
      - '-forcerecovery'
  condition: selection
falsepositives:
  - Legitimate IT maintenance tasks (rare in production environments)
level: high
---
title: Suspicious Memory Dumping Tool Execution
id: 9c5d3e2f-1a4b-4c6d-9e8f-2a3b4c5d6e7f
status: experimental
description: Detects execution of known tools often used to extract keys or manipulate memory for BitLocker bypasses (e.g., DMA attack tooling or forensic utilities).
references:
  - https://attack.mitre.org/techniques/T1003/
author: Security Arsenal
date: 2026/05/13
tags:
  - attack.credential_access
  - attack.t1003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\rawcopy.exe'
      - '\ftkImager.exe'
      - '\winpmem.exe'
      - '\dd.exe'
  filter:
    CommandLine|contains: ' legit_backup_path'
  condition: selection and not filter
falsepositives:
  - Authorized forensic imaging by IT staff
level: medium


**KQL (Microsoft Sentinel / Defender)**

Use this query to hunt for suspicious BitLocker configuration changes and recovery mode triggers across your estate.

KQL — Microsoft Sentinel / Defender
// Hunt for BitLocker manipulation and Recovery Mode triggers
let SuspiciousProcesses = dynamic(["rawcopy.exe", "ftkImager.exe", "winpmem.exe", "dd.exe"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "manage-bde.exe" and CommandLine has_any("-off", "-pause", "-protectors -delete"))
   or (FileName in~ SuspiciousProcesses)
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, CommandLine, FolderPath
| extend FullPath = FolderPath + FileName
| order by Timestamp desc


**Velociraptor VQL**

This VQL artifact collects the BitLocker status and checks for the presence of the mitigation flags on the endpoint.

VQL — Velociraptor
-- Check BitLocker status and configuration for YellowKey mitigation readiness
SELECT
  OSPath,
  Data as ProtectionStatus
FROM glob(globs="C:\Windows\System32\manage-bde.exe")

-- Execute manage-bde to get status
LET BitLockerStatus <= SELECT * FROM execve(argv=["C:\Windows\Windows\System32\manage-bde.exe", "-status", "C:"])

SELECT parse_string(data=Stdout, regex='Conversion Status\s*:\s*(?P<Status>.*)').Status as Status,
       parse_string(data=Stdout, regex='Encryption Method\s*:\s*(?P<Method>.*)").Method as Method,
       parse_string(data=Stdout, regex='Protection Status\s*:\s*(?P<Protection>.*)").Protection as Protection
FROM BitLockerStatus


**Remediation Script (PowerShell)**

While Microsoft releases a specific mitigation, the most effective immediate defensive action is to enforce ** TPM + PIN** protectors and verify Secure Boot status. This script audits and hardens the configuration.

PowerShell
<#
.SYNOPSIS
    Audit and Harden BitLocker against CVE-2026-45585 (YellowKey).
.DESCRIPTION
    Checks for TPM usage and enforces additional Startup Key protector requirement if missing.
    Applies Microsoft recommended hardening for physical attack vectors.
#>

Write-Host "[+] Starting CVE-2026-45585 Mitigation Audit..." -ForegroundColor Cyan

# Check if BitLocker is on
$BDEStatus = manage-bde.exe -status C:
if ($BDEStatus -match "Conversion Status\s*:\s*Used for Boot Only" -or $BDEStatus -match "Conversion Status\s*:\s*Encryption in Progress") {
    Write-Host "[!] Drive is currently encrypting or in Used for Boot Only state. Run again later." -ForegroundColor Yellow
} elseif ($BDEStatus -notmatch "Conversion Status\s*:\s*Fully Encrypted") {
    Write-Host "[-] BitLocker is not active on C:" -ForegroundColor Red
} else {
    Write-Host "[+] BitLocker is Active." -ForegroundColor Green

    # Check for TPM and Startup PIN (Best practice defense against physical bypass)
    $HasTPM = $BDEStatus -match "TPM"
    $HasStartupPIN = $BDEStatus -match "Startup PIN"

    if (-not $HasTPM) {
        Write-Host "[-] WARNING: TPM protector not found. Drive is vulnerable." -ForegroundColor Red
    }

    if (-not $HasStartupPIN) {
        Write-Host "[!] WARNING: Startup PIN protector not found. Recommendation: Add Startup PIN." -ForegroundColor Yellow
        Write-Host "    Command to Add PIN (Requires user interaction): manage-bde.exe -protectors -add C: -TPMAndPIN" -ForegroundColor Gray
    } else {
        Write-Host "[+] TPM and Startup PIN detected. Mitigation posture is strong." -ForegroundColor Green
    }
}

Write-Host "[+] Script complete. Please review the output above."

Remediation

To address the "YellowKey" vulnerability effectively, follow these steps:

  1. Apply the Official Mitigation: Microsoft has released a specific mitigation script/configuration fix. Review the official security advisory (linked below) and apply the registry key or script provided to seal the logic flaw.
  2. Enforce TPM + PIN: The most robust defense against physical BitLocker bypasses is multi-factor authentication at boot. Ensure all corporate devices require a Startup PIN in addition to the TPM. This prevents the "YellowKey" exploit from functioning silently even if the TPM is bypassed.
  3. Verify Secure Boot: Ensure Secure Boot is enabled in the BIOS/UEFI settings. This prevents the loading of unauthorized bootloaders which are often required for DMA-based BitLocker attacks.
  4. Audit Physical Access: Remind users of the risks of physical access. An unattended laptop in a coffee shop or a hotel room is a high-risk scenario for CVE-2026-45585.

Vendor Advisory:

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiembitlockercve-2026-45585windows

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action