CVE-2026-45585: the UEFI BootNext variable is unauthenticated, and Microsoft's own recovery environment happily uses it to skip the BIOS password you thought was protecting your laptop.
That's the nutshell from CERT/CC's vulnerability note published June 22. Beatriz Fresno Naumova reported the flaw, and Eclypsium's research on what they call "YellowKey" details the mechanics. If you rely on a UEFI/BIOS password as your primary physical defense, your threat model just got a hole.
WinRE Boots on an Alternate Path That Ignores Your Lock
Windows Recovery Environment (WinRE) is the F11 menu, the "Reset this PC" wizard, and the repair console. When WinRE triggers, the system reboots into a recovery environment that does not necessarily run the same pre-boot authentication as a normal boot. The UEFI boot manager supports a one-time boot target via the BootNext NVRAM variable. That variable is not authenticated, and it takes precedence over BootOrder on the next boot cycle.
Secure Boot still validates the boot application's signature, but nothing forces the firmware to prompt for a password before executing BootNext. The UEFI spec leaves reset handling and authentication flows to implementation. Microsoft's implementation, as deployed in WinRE, skips the BIOS password check. An attacker with physical access (or administrative access to trigger a recovery) can bypass that lock.
Evil Maid, BitLocker Bypass, and What Actually Protects You
This is the classic Evil Maid scenario: leave a laptop unattended at a hotel, attacker boots into WinRE, modifies boot configuration or security settings, and walks away with your data. If BitLocker is configured with TPM-only (no PIN or startup key), the recovery environment may also bypass BitLocker's pre-boot authentication. The same BootNext path can lead to a compromised EFI System Partition.
CERT/CC recommends a layered set of mitigations, not just relying on firmware passwords:
- Disable WinRE on high-security systems where recovery isn't operationally needed.
- Require ephemeral one-time admin authorization to invoke recovery.
- Switch BitLocker to TPM + PIN or TPM + Startup Key so pre-boot auth is mandatory.
- Restrict pluggable media with EFI System Partitions and lock down BootNext/BootOrder modifications.
- Deploy endpoint detection with measured boot and remote attestation.
Microsoft published an advisory (CVE-2026-45585) with hardening guidance, but the fix is policy and configuration, not a patch. UEFI BIOS passwords were always a weak deterrent against determined physical access; this confirmation means you should treat them as a speed bump, not a wall.
The real takeaway: if your org's threat model includes physical compromise, your boot chain needs to be authenticated at every step, not just the first one.
Source: VU#226679: Microsoft WinRE allows for bypass of UEFI/BIOS password enforcement
Domain: kb.cert.org
Comments load interactively on the live page.