Microsoft has addressed two vital elevation of privilege vulnerabilities affecting its Home windows BitLocker encryption function.
The failings, tracked as CVE-2025-54911 and CVE-2025-54912, had been disclosed on September 9, 2025, and carry an “Necessary” severity score.
Each vulnerabilities might enable a certified attacker to realize full SYSTEM privileges on a compromised machine, bypassing the safety layers that BitLocker is designed to implement.
Microsoft has famous that exploitation is taken into account “much less possible,” and as of the disclosure, the vulnerabilities haven’t been publicly detailed or seen exploited within the wild.
BitLocker Escalation of Privilege Vulnerability
Each CVE-2025-54911 and CVE-2025-54912 are categorised as “Use-After-Free” vulnerabilities, a standard and harmful kind of reminiscence corruption bug.
This weak spot, cataloged below CWE-416, happens when a program continues to make use of a pointer to a reminiscence location after that reminiscence has been freed or deallocated.
When an attacker can affect the information written to this deallocated house, they’ll typically manipulate this system’s execution circulation.
On this state of affairs, a malicious actor might leverage this management to execute arbitrary code, main to an entire system takeover.
The presence of two distinct “Use-After-Free” bugs in a important safety part like BitLocker highlights the continued challenges in sustaining reminiscence security in complicated software program.
Profitable exploitation of both vulnerability leads to a full privilege escalation. An attacker who leverages these flaws might acquire SYSTEM-level entry, the best stage of privilege on a Home windows system.
This is able to grant them the power to put in applications, view, change, or delete information, and create new accounts with full consumer rights.
In line with the CVSS metrics offered by Microsoft, an assault requires an adversary to have low-level privileges on the goal system already.
Moreover, some type of consumer interplay is critical for the exploit to succeed, that means an attacker would want to trick a certified consumer into performing a particular motion.
This prerequisite makes distant, automated assaults harder however doesn’t diminish the danger in eventualities the place an attacker has already gained an preliminary foothold.
Mitigations
In response to the invention, Microsoft has fastened the vulnerabilities within the September 2025 Patch Tuesday replace. The corporate has urged customers and directors to use the newest updates promptly to guard their techniques from potential assaults.
Whereas the exploitability is presently assessed as much less possible, the severity of the potential affect necessitates speedy motion.
The invention of CVE-2025-54912 was credited to Hussein Alrubaye, working with Microsoft, indicating a collaborative effort between the corporate and exterior safety researchers to establish and resolve important safety points.
Customers are suggested to verify for updates by way of the usual Home windows Replace service to make sure their techniques are not vulnerable to those privilege escalation flaws.
Discover this Story Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates.
