ELI5: YellowKey (CVE-2026-45585) BitLocker Bypass that survived the Great Global CrowdStrike Outage of 24)

The YellowKey Breach: A Serious Vulnerability in Windows PE

A security researcher has discovered a zero-day vulnerability in Windows PE, known as YellowKey, which allows access to an admin command prompt without a Bitlocker key. This is a big deal. The vulnerability, identified as CVE-2026-45585, has significant implications for organizations using Windows PE, versions 10 and 11, and CrowdStrike, versions 6.0 and later. It enables unauthorized access to and deletion of files on affected laptops.

Under the Hood of the YellowKey Vulnerability

Pressing specific button combinations before the BIOS load and guessing the correct WinPE menu can give an attacker admin command prompt access. No Bitlocker key or other authentication is needed, making this a serious concern for security. A researcher stumbled upon this vulnerability by accident, when they pressed the wrong buttons and guessed the right menu. They realized its potential for exploitation and shared their findings with their security team.

The vulnerability affects Windows PE users, especially those with CrowdStrike installed. It can be exploited through simple button combinations and menu guessing. This highlights the need for immediate mitigation. Organizations must take action to protect themselves, as the vulnerability does not require complex prerequisites.

Fallout and Mitigations

The impact of the YellowKey vulnerability is significant. It allows unauthorized access to and deletion of files on laptops without requiring authentication. To mitigate this, organizations should enable BitLocker with a secure key, use a secure boot process, and implement endpoint protection with the latest updates and settings. Limiting access to the WinPE menu and ensuring it requires authentication is also crucial.

Keeping Windows PE up to date with the latest security patches and using a secure method to delete malicious files are recommended steps. By taking these measures, organizations can reduce the risk of exploitation and protect their systems. This is not a drill. The YellowKey vulnerability is a real threat, and organizations need to take it seriously.

Protecting Yourself from the YellowKey Vulnerability

Organizations should prioritize enabling BitLocker with a secure key and ensuring a secure boot process to prevent pre-bios exploitation. Implementing CrowdStrike or similar endpoint protection with the latest updates and settings is also critical. Limiting access to the WinPE menu and keeping Windows PE up to date are essential steps.

Using a secure method to delete malicious files, such as through trusted antivirus software, is necessary. Detection opportunities should also be explored to identify potential exploitation attempts. By taking proactive measures, organizations can safeguard their systems and data from the YellowKey vulnerability.

Summary

and Conclusion The YellowKey vulnerability is a zero-day exploit that affects Windows PE users, particularly those with CrowdStrike installed. It allows unauthorized access to and deletion of files on affected laptops without requiring authentication. Organizations should take immediate action to mitigate this vulnerability by enabling BitLocker, using a secure boot process, and implementing endpoint protection with the latest updates and settings.

Sources

1. https://www.reddit.com/r/cybersecurity/comments/13xzp5l/can_someone_please_eli5_yellowkey_cve202645585/
2. https://www.cve.org/CVERecord?id=CVE-2026-45585
3. https://msrc.microsoft.com/update-guide/releaseNote/2023-Dec
4. https://eclypsium.com/blog/yellowkey-bitlocker-bypass-windows-recovery-environment/
5. https://www.threatlocker.com/blog/what-yellowkey-and-greenplasma-zero-day-exploits-reveal-about-trusting-native-windows-security
6. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585