Microsoft is working on a patch for ‘YellowKey’ attack on BitLocker, offers temporary fix

CSO Online interviewed NetSPI’s VP of Research, Karl Fosaaen, for a May 20, 2026 article about how Microsoft is working on a patch for a zero-day vulnerability dubbed “YellowKey” (CVE-2026-45585). This allows attackers with physical access to a Windows device to bypass BitLocker encryption and read or write files, with a public proof of concept already available. Read the preview below or view it online. 

+++ 

In short, Karl’s message is a two-part warning: lock down physical access before an attack happens, and don’t assume you’ll know if you’ve been hit. 

Here’s a further breakdown of the key points:  

Karl emphasized that since YellowKey requires physical access to exploit, organizations should focus on strengthening physical security controls around their Windows devices. He recommended strong policies and controls around physical device access as a first step, and suggested that organizations concerned about attackers accessing files on a system should consider limiting the data users are allowed to store locally. 

Karl also noted that what makes the vulnerability particularly difficult to deal with is that attacks may not be immediately apparent to users. If an attacker used the exploit simply to read files from the encrypted volume, there likely wouldn’t be any indicators visible to the user. However, if malicious software was implanted, the user might notice increased system utilization or other performance issues.  

You can read the full article here