Possible BitLocker Zero Day Vulnerability « Giveaway of the Day Forums

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

Possible BitLocker Zero Day Vulnerability

(2 posts) (1 voice)

Started 3 weeks ago by mikiem2
Latest reply from mikiem2

mikiem2
Moderator

tomshardware[.]com/tech-industry/cyber-security/microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-yellowkey-zero-day-exploit-demonstrates-an-apparent-backdoor

bleepingcomputer[.]com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/

I say *possible* because *to me* it does not seem it would be immediately useful to cyber criminals, though they might be able to build on it, taking the exploit further. To perform the exploit as published you copy the FsTx folder to the System Volume Information on a USB stick, cause the system to reboot into the Recovery Environment, then hold down the Control key until it reboots. When it restarts you'll be at the Command Prompt with full access to the encrypted drive.

Of course, if you are in the running copy of Windows, which is necessary to pull this off, you already have access to the files on the BitLocker encrypted system disk, so while I may be missing something here, what is the point?

Posted 3 weeks ago #
mikiem2
Moderator

msrc.microsoft[.]com/update-guide/vulnerability/CVE-2026-45585

Microsoft has released a script to mitigate the vulnerability by removing autofstx.exe from WinRE, the recovery environment stored on the Recovery partition.

This script is an interim security fix that helps to reduce the risk of exploitation of the vulnerability.

The script is for WinRE and removes autofstx.exe from the BootExecute registry value. Since BootExecute runs programs very early in boot (even in recovery mode), removing this entry prevents that executable from running in a high‑privilege environment, reducing risk.

It works by mounting the WinRE image, editing its offline SYSTEM registry to remove the entry if present, then safely committing changes and re‑sealing WinRE so BitLocker trust remains intact.

It’s designed to be safe—if the autofstx.exe entry isn’t there, it exits without making changes.

Posted 2 weeks ago #

RSS feed for this topic

Reply

You must log in to post.