Microsoft has confirmed a critical security vulnerability in the Windows Recovery Environment (WinRE) that allows attackers to bypass UEFI or BIOS passwords, potentially undermining full-disk encryption on millions of devices. Tracked as CVE-2026-45585 and publicly disclosed on June 9, 2026, the flaw exploits the way WinRE interacts with the UEFI BootNext variable, enabling unauthorized access to recovery tools and, by extension, the underlying operating system.

The vulnerability has sent ripples through enterprise IT departments and security-conscious home users alike. With a CVSS score of 7.8, it is classified as a high-severity local attack vector, requiring physical access or high-privileged administrative rights to exploit. Yet the implications are far-reaching: an attacker who gains a foothold on a machine can chain this bypass with other techniques to decrypt BitLocker-protected drives, extract credentials, or implant persistent malware.

Understanding the Affected Components

To grasp the scope of CVE-2026-45585, one must first understand two key pieces of the Windows pre-boot puzzle: WinRE and BootNext.

Windows Recovery Environment

WinRE is a lightweight operating system based on Windows PE, designed to troubleshoot and repair issues when the main OS fails to start. It provides a familiar graphical interface or command-line access for system recovery tasks, including startup repair, system restore, and accessing the command prompt. Crucially, WinRE can be launched without authenticating to the installed Windows instance—a practical necessity for repair scenarios—but this has always posed a security risk if an attacker can force a system into recovery mode.

Historically, organizations have relied on UEFI/BIOS passwords to gate access to boot options, including the sequence that launches WinRE. If a user cannot enter the BIOS setup or modify boot order, they should not be able to bypass the primary OS authentication. CVE-2026-45585 breaks that assumption.

UEFI BootNext Variable

BootNext is a UEFI specification feature that allows a one-time boot override. An operating system or application can set the BootNext variable to point to a specific EFI boot entry, causing the firmware to boot that entry on the next system start, after which the variable is typically cleared. This mechanism is used legitimately by Windows updates and recovery processes to temporarily boot into an alternative environment.

The vulnerability lies in how WinRE initializes and handles the BootNext variable during its startup sequence. According to Microsoft's advisory, a flaw in the access controls on certain WinRE components allows a local attacker to plant a malicious EFI application and redirect BootNext to it, even when a UEFI password is enforced. The next boot will execute the attacker's code with full system privileges before any operating system defenses load.

How CVE-2026-45585 Works

Attackers need either physical access to the target machine or administrative rights within a running Windows session to exploit the vulnerability. The exploitation chain is relatively straightforward:

  1. Triggering WinRE: The attacker reboots the system and interrupts the normal boot process—by holding the Shift key while clicking Restart, for example, or by deliberately corrupting the boot configuration to force automatic recovery. If a UEFI password is set, this step alone should be blocked because accessing boot options requires the firmware password. However, the flaw allows certain recovery-triggered reboots to bypass the password prompt entirely.

  2. Setting the malicious BootNext: Within the WinRE environment, the attacker launches a command prompt (which does not require a password) and uses built-in tools or a dropped payload to modify the BootNext variable. Because WinRE runs with elevated system privileges and insufficient validation, the attacker can point BootNext to a custom EFI executable placed on the EFI System Partition (ESP) or a removable USB drive.

  3. Escalation on next boot: When the system restarts, the UEFI firmware reads the BootNext variable and boots the attacker-controlled EFI application. At this stage, standard protections like Secure Boot become irrelevant if the attacker has already bypassed firmware passwords and tampered with the boot chain on an unencrypted ESP—or if they also leverage a separate Secure Boot bypass.

  4. Full compromise: The malicious EFI application can then patch the Windows bootloader, disable BitLocker authentication checks, or drop a kernel-mode rootkit that survives OS reinstallation. Because the attack executes before the operating system loads, it can intercept and store BitLocker keys entered by the user, exfiltrate them via network, or simply decrypt the disk on the fly.

Microsoft’s investigation reveals that the vulnerability stems from a race condition in the WinRE’s handling of the UEFI password prompt. In certain timing windows, the password protection is not enforced before the recovery environment mounts critical system volumes, opening the door to manipulation of BootNext.

Real-World Impact: BitLocker at Risk

For many organizations, BitLocker Drive Encryption is the last line of defense against data theft from lost or stolen devices. CVE-2026-45585 strikes at the heart of BitLocker’s threat model by enabling an attacker to disable or circumvent its pre-boot authentication.

BitLocker relies on measurements of the boot process to ensure that the system hasn’t been tampered with. If an attacker can alter the boot chain via BootNext, those measurements become meaningless. In a typical attack scenario, a stolen laptop with a locked UEFI firmware and BitLocker enabled might still be vulnerable if the thief can force a recovery boot and execute the exploit. Even a laptop with a TPM-only protector could be decrypted if the attacker’s EFI code tricks the TPM into releasing the key by simulating a legitimate boot environment.

Security researchers have demonstrated that the attack can be automated with a USB drive containing a script that triggers the WinRE bypass and deploys a payload. The entire process takes under three minutes on modern hardware, making it a viable smash-and-grab technique.

Mitigation and Official Response

Microsoft released a security update to address CVE-2026-45585 as part of the June 2026 Patch Tuesday cycle. The patch, available for all supported versions of Windows 10 (1607 and later), Windows 11, and Windows Server 2019/2022, modifies WinRE to properly enforce UEFI password validation before allowing access to tools that can modify the BootNext variable.

However, the patch has a critical dependency: it must be applied to the WinRE image itself, not just the running OS. Many organizations are unaware that WinRE updates are not always delivered through standard Windows Update and may require manual servicing of recovery partitions. Microsoft has provided a standalone update package (KB5039302) and updated the WinRE servicing guidelines to help IT admins patch their recovery environments.

For immediate mitigation, Microsoft recommends the following steps:

  • Ensure that UEFI firmware passwords are set and that the firmware is up-to-date with the latest vendor releases.
  • Disable booting from external media and network (PXE) in the UEFI settings.
  • Enable Secure Boot and configure it to block unauthorized EFI applications.
  • Apply the June 2026 security update to both the primary OS and the WinRE image.
  • Consider using BitLocker Network Unlock or pre-boot authentication with a PIN in addition to TPM to raise the bar against such physical attacks.

Enterprise environments can also leverage Microsoft Defender for Endpoint’s attack surface reduction rules to detect and block attempts to write to the BootNext variable from a WinRE context, although this requires the endpoint to be online and reporting, which may not be the case during a recovery scenario.

Community and Expert Reaction

The disclosure ignited heated discussions on security forums and social media. Many IT professionals expressed frustration over the protracted timeline: Microsoft reportedly learned of the vulnerability through a researcher’s private disclosure in February 2026, but the public patch only arrived in June. During that window, the exploit remained unpatched and potentially weaponized.

“This is a classic example of why we need better transparency around recovery environment weaknesses,” wrote a veteran Windows administrator on a popular tech forum. “We thought UEFI passwords gave us a solid lock on the boot process, but it turns out that lock is easily picked if you just bang on the right door.”

Others pointed to the fact that CVE-2026-45585 is not the first WinRE bypass. Previous vulnerabilities, such as CVE-2022-41099 and the boot hole disclosures in 2020, demonstrated similar risks. The recurrence underscores the complexity of securing the pre-boot environment and the need for a defense-in-depth strategy that doesn’t rely on a single control.

Independent security researcher Jane Kowalski, who has reverse-engineered the patch, noted that the fix adds a new UEFI protocol check during WinRE initialization but still leaves some edge cases. “If an attacker already has administrative privileges, they can simply wait for a legitimate WinRE boot to occur and then exploit the race condition,” she said. “The patch narrows the window but doesn’t completely eliminate the risk.”

The Bigger Picture: UEFI Security in an Evolving Threat Landscape

CVE-2026-45585 is a stark reminder that UEFI firmware security is not just about protecting against bootkits—it’s also about ensuring that every link in the pre-boot chain, including recovery tools, adheres to the same authentication requirements as the main OS.

The industry has made strides with initiatives like the Microsoft Pluton security processor and the UEFI Secure Boot standard, but gaps remain wherever legacy compatibility or recovery features create alternative code paths. Attackers are increasingly focusing on these blind spots, as evidenced by the TrickBoot and FinSpy UEFI implants seen in the wild over the past few years.

For Windows users, the lesson is clear: treat your recovery environment with the same paranoia as your production OS. That means monitoring for tampering, keeping WinRE images patched, and configuring firmware passwords even when you believe additional protections like BitLocker are sufficient. Physical security remains paramount, but in an era of hybrid work and device theft, the attack surface has never been larger.

What Should Users Do Now?

If you manage Windows devices, take these actions immediately:

  1. Audit your WinRE status: Use the reagentc /info command to check if the Windows Recovery Environment is enabled and where it resides. Ensure the recovery partition has at least 500 MB of free space to accommodate future updates.

  2. Apply the patch: Visit the Microsoft Update Catalog and download the latest servicing stack update and cumulative update for your OS version. Then, follow Microsoft’s guidance to update your recovery image using the PatchWinRE.ps1 script included in the standalone package.

  3. Harden your firmware: Set a strong UEFI password, disable USB boot and network stack in BIOS, and keep firmware up to date. Many hardware vendors have also released UEFI patches that complement Microsoft’s fix.

  4. Enable additional BitLocker protectors: For high-value targets, switch from TPM-only authentication to TPM with PIN or startup key. This ensures that even if an attacker tricks the TPM, they still need a second factor to unlock the disk.

  5. Monitor for exploitation attempts: Use Windows Event Forwarding or SIEM solutions to alert on events related to WinRE access and BootNext modifications. Look for unexpected changes to the BootNext EFI variable, which can be enumerated with the bcdedit /enum firmware command.

Microsoft has also made clear that future Windows releases will include architectural changes to decouple recovery environment privileges from the ability to alter firmware boot variables, but such redesigns are years away. For now, the onus is on administrators to lock down every layer of the stack.

Windows News will continue to follow this story as new exploit techniques emerge and as Microsoft releases additional hardening guidance. Subscribe to our RSS feed or follow us on social media for the latest Windows security updates.