Windows YellowKey Vulnerability (CVE‑2026‑45585): Exploit Details and Fixed PowerShell Mitigation

YellowKey vulnerability (CVE‑2026‑45585)

The vulnerability affects Windows 11, Windows Server 2022 and Windows Server 2025 (Windows 10 is not impacted). An attacker creates a specially crafted FsTx folder structure on a USB drive, boots the target machine into the Windows Recovery Environment (WinRE), and WinRE launches a command‑line window with SYSTEM privileges. This allows the attacker to bypass BitLocker encryption and access the encrypted data.

Microsoft temporary mitigation script

Microsoft confirmed the vulnerability and published a PowerShell script as a temporary fix. The script mounts the WinRE image, edits the offline SYSTEM registry to delete the autofstx.exe entry from the BootExecute value (if present), safely commits the changes, and repacks WinRE, preserving BitLocker trust. If the entry does not exist, the script exits without modification.

Official advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585

Issue on Chinese‑language systems

The original script fails on systems with Chinese locale because of a faulty regular‑expression line used to detect WinRE status.

if ($winreOutputStr -match "[:：]\s*Enabled\b")

In the .NET regex engine, the opening [ followed by : is interpreted as the start of a POSIX character class (e.g., [:digit:]). Because the next character is a Chinese colon ( ：) rather than a letter, the engine cannot find the expected closing ] and throws an “unterminated [] set” error.

Corrected script

Replacing the pattern with a literal colon fixes the error, allowing the script to run successfully on Chinese systems.

Usage steps

Open PowerShell with administrator rights on the affected Windows system.

If script execution is blocked, run Set-ExecutionPolicy -ExecutionPolicy RemoteSigned to allow remote‑signed scripts.

Execute the script: .\Remove-AutoFsTxFromWinRE.ps1.