Microsoft patches Defender zero-days

Microsoft released security fixes this week after two Microsoft Defender vulnerabilities were exploited as zero-days and after a separate BitLocker bypass flaw, dubbed YellowKey, was publicly disclosed. BleepingComputer reported on May 21 that Microsoft had started rolling out patches for the Defender flaws, while The Hacker News reported on May 20 that Microsoft had issued mitigations for YellowKey, tracked as CVE-2026-45585. Microsoft said affected customers should patch or apply the available mitigations. The disclosures put three different enterprise security basics in one place: endpoint protection, disk encryption and recovery-environment hardening. CISA says its Known Exploited Vulnerabilities catalog is meant to help organizations prioritize flaws that are being used in the wild, and BleepingComputer said one earlier Microsoft Defender issue had already been added to that catalog in April. ### Which Microsoft problems were addressed this week? (bleepingcomputer.com) BleepingComputer reported on May 21 that Microsoft began rolling out patches for two Defender vulnerabilities that had been exploited in zero-day attacks. The article said the flaws were being used in the wild before fixes were available, which is the defining feature of a zero-day. The Hacker News reported on May 20 that Microsoft also released a mitigation for YellowKey, a BitLocker security-feature bypass now tracked as CVE-2026-45585. (cisa.gov) Microsoft described YellowKey in an advisory as a publicly disclosed vulnerability and said proof-of-concept code had been made public. ### What exactly is YellowKey doing? CVE-2026-45585 affects Windows 11 versions 24H2, 25H2 and 26H1 for x64-based systems, plus Windows Server 2025 and Server Core installations, according to Microsoft’s advisory as quoted by The Hacker News. (bleepingcomputer.com) The flaw has a CVSS score of 6.8. The Hacker News said researcher Chaotic Eclipse, also known as Nightmare-Eclipse, disclosed YellowKey after showing that specially crafted “FsTx” files placed on a USB drive or EFI partition could be used during the Windows Recovery Environment process. (thehackernews.com) Microsoft said successful exploitation could let an attacker with physical access bypass BitLocker device encryption and access encrypted data. ### Why are researchers focused on the recovery environment? Windows Recovery Environment, or WinRE, is the part of Windows used to troubleshoot and repair systems that cannot boot normally. The Hacker News reported on May 14 that YellowKey works inside WinRE rather than in the main operating system, which is why the issue drew attention from researchers examining trust assumptions in pre-boot recovery. (thehackernews.com) Security researcher Will Dormann said, as quoted by The Hacker News, that the mitigation works by preventing the FsTx Auto Recovery Utility, `autofstx.exe`, from automatically starting when the WinRE image launches. The same report said Microsoft also recommended moving some already encrypted devices from TPM-only protection to TPM+PIN. ### How should companies think about the Defender zero-days? (thehackernews.com) Microsoft Defender is already embedded across many Windows environments, which means exploited flaws in the product can become urgent patching priorities. BleepingComputer said Microsoft warned customers that the two Defender vulnerabilities had been exploited in attacks and started rolling out security patches on Wednesday. (thehackernews.com) CISA says organizations should use the Known Exploited Vulnerabilities catalog as an input to vulnerability-management prioritization. That guidance does not name these newly reported Defender flaws specifically in the material reviewed here, but it provides the framework many security teams use when deciding which active threats to remediate first. ### What should defenders do next? Microsoft said customers should install the available Defender fixes and apply YellowKey mitigations where relevant. (bleepingcomputer.com) For YellowKey, the steps outlined by Microsoft and summarized by The Hacker News include mounting the WinRE image, editing the system registry hive to remove the `autofstx.exe` value from `BootExecute`, recommitting the image and reestablishing BitLocker trust for WinRE. (cisa.gov) As of May 21, 2026, the most concrete next step is operational rather than strategic: review Windows 11 and Windows Server 2025 fleets for exposure, apply Microsoft’s updates, and verify whether BitLocker deployments still rely on TPM-only protection. (thehackernews.com)