Read, Watch or Listen

United States-based security researchers have disclosed a vulnerability in the Microsoft Windows Recovery Environment (WinRE) that enables bypassing UEFI and BIOS password protections on certain Windows 10 and Windows 11 systems. Tracked as CERT/CC VU#226679 and CVE-2026-45585, the flaw exposes a weakness in pre-boot security controls when devices rely on the built-in recovery platform. Under specific firmware implementations, WinRE can be manipulated to invoke an alternate boot path that does not consistently enforce firmware-level authentication. This behavior allows individuals with physical or administrative access to circumvent administrator-set firmware passwords that are intended to protect system configuration and boot security policies. United States researchers say the vulnerability is particularly relevant to scenarios resembling so-called "Evil Maid" attacks, in which a threat actor gains temporary physical access to an unattended computer. In environments where organizations depend on firmware passwords to prevent changes to boot order, disable Secure Boot, block booting from external media, or preserve full-disk encryption protections, the WinRE flaw undermines these assumptions. By entering recovery mode through options such as the F11 recovery menu or the "Reset this PC" function, an attacker can exploit the inconsistent enforcement of pre-boot authentication to reach underlying configuration interfaces without supplying the required BIOS or UEFI password. The issue is closely linked to a publicly disclosed exploit chain known as "YellowKey," which demonstrates how the weakness can be abused in practice.

Prepared by Jonathan Pierce and reviewed by editorial team.