CyberSecurity News

BitUnlocker Downgrade Attacks on Windows Allows Access

A recently identified tool, BitUnlocker, facilitates a practical downgrade attack targeting Microsoft’s BitLocker encryption. This method allows threat actors with physical access to decrypt...

Jennifer sherman
Jennifer sherman
May 12, 2026 3 Min Read
2 0

A recently identified tool, BitUnlocker, facilitates a practical downgrade attack targeting Microsoft’s BitLocker encryption. This method allows threat actors with physical access to decrypt volumes protected by BitLocker on even patched Windows 11 systems in less than five minutes. The attack exploits a critical window between the application of patches and the revocation of certificates.

The attack is rooted in CVE-2025-48804, one of four critical zero-day vulnerabilities discovered by Microsoft’s Security Testing & Offensive Research (STORM) team and patched during July 2025’s Patch Tuesday.

According to Intrinsec research, the flaw resides in the Windows Recovery Environment (WinRE) and involves the System Deployment Image (SDI) file mechanism.

When the boot manager loads a legitimate WIM (Windows Imaging Format) file referenced by an SDI for integrity verification, it simultaneously allows a second, attacker-controlled WIM to be appended to the SDI’s blob table.

The boot manager verifies the first (legitimate) WIM but actually boots from the second, which contains a WinRE image modified to launch cmd.exe with the BitLocker volume already decrypted and mounted.

Microsoft shipped a patched bootmgfw.efi binary for all supported systems via Windows Update in July 2025. However, the patch alone does not close the attack surface.

BitUnlocker Downgrade Attack on Windows 11

The critical weakness enabling the BitUnlocker attack is not a missing patch it is an unrevoked signing certificate.

Secure Boot validates a binary’s signing certificate, not its version number. The legacy Microsoft Windows PCA 2011 certificate, used to sign all boot managers prior to the July 2025 fix, remains trusted in the Secure Boot databases of virtually all machines currently in use, unless a fresh Windows installation was performed after early 2026.

This means a pre-patch bootmgfw.efi, signed under PCA 2011, is still considered completely valid by Secure Boot despite being vulnerable.

Mass revocation of PCA 2011 poses a significant operational challenge for Microsoft, as it would affect a wide range of legitimate signed binaries across the ecosystem.

Building on the original STORM research and prior work on the “bitpixie” downgrade exploit, researchers developed a working PoC that chains these weaknesses into a sub-five-minute attack.

According to Intrinsec, the attacker requires only physical access to the target workstation, a USB drive or PXE boot server, and no specialized hardware.

The attack proceeds as follows: the attacker prepares a modified BCD (Boot Configuration Data) file pointing to a tampered SDI and serves an old, vulnerable PCA 2011-signed boot manager via USB or PXE boot.

The target machine loads the pre-patch boot manager, which passes Secure Boot validation normally.

The TPM releases the BitLocker Volume Master Key without triggering any alerts, because PCR measurements 7 and 11 remain valid under the trusted PCA 2011 certificate. The result: a command prompt opens with the OS volume fully decrypted and mounted.

Systems running TPM-only BitLocker (without a PIN) whose Secure Boot database still trusts PCA 2011 are fully vulnerable.

Machines configured with TPM + PIN are protected, as the TPM will not unseal the VMK without user interaction during pre-boot authentication.

Systems that have completed the KB5025885 migration, moving the boot manager signature to the newer Windows UEFI CA 2023 certificate, are also protected against this downgrade path.

Mitigations

Security teams should take the following actions immediately:

  • Enable TPM + PIN pre-boot authentication — the single most effective control, preventing TPM from releasing the VMK during any manipulated boot sequence.
  • Deploy KB5025885 — this Microsoft update migrates boot manager signing to CA 2023 and introduces revocation controls that eliminate the downgrade path.
  • Verify boot manager certificate — mount the EFI partition and use sigcheck to confirm the active bootmgfw.efi is signed under CA 2023, not the legacy PCA 2011.
  • Remove the WinRE recovery partition on high-security workloads where pre-boot authentication cannot be enforced, minimizing the attack surface exposed to this class of exploit.

The PoC is publicly available on GitHub, raising the urgency for enterprise defenders to audit their BitLocker configurations and accelerate CA 2023 migration before opportunistic attackers operationalize this technique in targeted intrusions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts