Home · Live brief · Daily brief 2026-05-20
CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation
Entities: Nightmare Eclipse
Part of run 2026-05-20-a0f7b07f (intel · Claude Opus 4.7)
UPDATE — originally covered Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed (2026-05-15)
UPDATE (originally covered 2026-05-15): Microsoft formally assigned CVE-2026-45585 to the BitLocker / WinRE bypass disclosed by "Nightmare Eclipse" on 2026-05-12 and confirmed there is still no security update. The MSRC update guide entry, published 2026-05-19, classifies it as CWE-77 (command injection in BitLocker / Windows Recovery Environment), CVSS 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with exploit-code maturity rated E:P (proof-of-concept) and remediation level RL:W (workaround only).
Microsoft's interim mitigation requires per-endpoint work on every device using TPM-only BitLocker (no PIN / password protector): mount the WinRE image, remove the autofstx.exe entry from the BootExecute registry value inside the WinRE image, commit the image, then re-establish BitLocker trust for WinRE. The MSRC FAQ states: "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."
Practically: for fleets at scale (Swiss federal admin, cantonal endpoints, classified Windows devices), the more durable hardening is to add a BitLocker PIN or password protector rather than relying solely on TPM-only. The WinRE registry edit is fragile and breaks on Windows feature updates that re-stage the WinRE image; the PIN/password protector closes the exposure regardless of WinRE state.
Action items
- Add BitLocker PIN / password protector to TPM-only-protected endpoints (CVE-2026-45585 / YellowKey). Microsoft's WinRE
BootExecuteregistry mitigation is per-device and fragile under Windows feature updates that re-stage WinRE; the PIN/password protector closes the bypass regardless of WinRE state. Public PoC, no patch (MSRC CVE-2026-45585).