Researchers have disclosed a sequence of vital zero-day vulnerabilities that fully bypass Home windows BitLocker encryption, permitting attackers with bodily entry to extract all protected information from encrypted gadgets in a matter of minutes.
The analysis, performed by Alon Leviev and Netanel Ben Simon from Microsoft’s Safety Testing & Offensive Analysis at Microsoft (STORM) staff, exposes basic flaws within the Home windows Restoration Setting (WinRE) that undermine BitLocker’s core safety promise.
4 Important Assault Vectors Found
The researchers recognized 4 distinct zero-day vulnerabilities designated as CVE-2025-48800, CVE-2025-48003, CVE-2025-48804, and CVE-2025-48818, every exploiting totally different parts of the Home windows restoration system.
Boot.sdi Parsing Vulnerability (CVE-2025-48800): This assault manipulates the Boot.sdi file’s WIM offset to bypass trusted WIM validation. Attackers can substitute reputable restoration photos with malicious variations, permitting untrusted code execution whereas sustaining the looks of system integrity.
ReAgent.xml Exploitation (CVE-2025-48003): The vulnerability abuses WinRE’s offline scanning function, which is designed for antivirus operations. Researchers demonstrated utilizing tttracer.exe, a reputable Time Journey Debugging utility, to spawn command immediate periods with full entry to encrypted volumes.
Trusted App Manipulation (CVE-2025-48804): This exploit targets SetupPlatform.exe, a legitimately trusted software that continues to be registered after Home windows upgrades. The assault creates an infinite time window by manipulating configuration recordsdata, permitting attackers to register keyboard shortcuts that launch privileged command prompts.
BCD Configuration Assault (CVE-2025-48818): Essentially the most refined vulnerability exploits Push Button Reset (PBR) performance by manipulating Boot Configuration Knowledge to redirect WinRE operations. Attackers can drive the system to decrypt BitLocker volumes by creating malicious ResetSession.xml recordsdata on the unprotected restoration partition.
These vulnerabilities are notably harmful as a result of they function inside WinRE’s “Auto-Unlock” state, the place the principle OS quantity stays accessible to restoration operations. In contrast to conventional BitLocker bypass makes an attempt that set off quantity re-locking, these exploits preserve full system entry all through the assault course of.
In keeping with the BlackHat2025 presentation, the assaults require solely primary bodily entry and will be executed by anybody who can boot into WinRE utilizing easy key mixtures like Shift+F10. The researchers demonstrated full information extraction capabilities, together with accessing delicate recordsdata, credentials, and system configurations saved on BitLocker-protected drives.
The vulnerabilities have an effect on a complete vary of Home windows methods, together with Home windows 10, Home windows 11, and Home windows Server editions, probably impacting tens of millions of enterprise and shopper gadgets worldwide. Microsoft has categorised these as “Vital” severity vulnerabilities with CVSS scores starting from 6.8 to 7.2, although safety specialists argue the real-world influence could possibly be considerably larger.
Organizations that rely upon BitLocker for information safety in theft situations face speedy threat, notably for cell workforce gadgets and methods in unsecured environments.
Microsoft addressed these vulnerabilities in July 2025’s Patch Tuesday updates, releasing particular safety patches for all affected Home windows variations. The corporate strongly recommends that organizations implement the next countermeasures instantly:
Allow TPM+PIN authentication for pre-boot verification, which prevents these assaults by requiring person authentication earlier than WinRE can entry encrypted volumes. Deploy the REVISE mitigation for anti-rollback safety to forestall downgrade assaults. Apply all July 2025 safety updates by way of commonplace Home windows Replace mechanisms.
This discovery represents one of the important challenges to Microsoft’s encryption technique in recent times, demonstrating how trusted restoration mechanisms can grow to be assault vectors when not correctly secured.
Equip your SOC with full entry to the newest risk information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
