BitUnlocker Downgrade Attack Circumvents TPM-Only BitLocker Protection on Windows 11 in Less Than 5 Minutes

BitUnlocker Tool Exposes Critical BitLocker Vulnerability in Windows 11

Security experts at Intrinsec have unveiled a new tool called "BitUnlocker" that can bypass Windows 11 BitLocker encryption in less than five minutes. This discovery highlights a significant vulnerability, tracked as CVE-2025-48804, which was addressed by Microsoft in a July 2025 security update. The flaw is rooted in the Windows Recovery Environment and System Deployment Image mechanism, and it demonstrates how attackers can exploit the gap between software patching and certificate revocation.

How the BitLocker Bypass Works

The BitUnlocker exploit requires physical access to the target device. Attackers use a USB flash drive to deliver a legitimate Windows Imaging Format (WIM) file to the boot manager for integrity checks, while simultaneously appending a malicious payload. The system verifies the authenticity of the clean file but proceeds to execute the attacker's code, granting unauthorized access to the decrypted drive.

The core of this vulnerability lies in a downgrade attack. Because the legacy Windows PCA 2011 certificate is still globally trusted by Secure Boot, attackers can load an outdated, vulnerable boot manager. The system, recognizing the certificate, authenticates the boot manager without suspicion. For users relying solely on default TPM (Trusted Platform Module) configurations, this presents a significant security risk.

Why Default TPM Configurations Are at Risk

When the downgraded boot manager runs, the TPM checks system measurements against the trusted PCA 2011 certificate. If no discrepancies are found, the TPM unseals the BitLocker Volume Master Key, allowing access to encrypted data without raising any security alerts. This process effectively bypasses BitLocker protection, exposing sensitive information to anyone with physical access to the device.

Mitigations and Protection Strategies

The primary safeguard against this attack is the requirement for physical access. Devices configured with both a TPM and a pre-boot PIN are immune, as the hardware enforces an additional layer of authentication before releasing encryption keys. Furthermore, systems that have completed the KB5025885 update and migrated to the modern Windows UEFI CA 2023 digital security certificate are protected from this downgrade vulnerability.

This vulnerability serves as a reminder for organizations and individuals to review their BitLocker configurations and ensure that all security updates are applied promptly. Implementing multi-factor authentication at boot and migrating to the latest security certificates are essential steps in maintaining robust data protection on Windows 11 devices.

Maya Stein Maya is a tech journalist who specializes in PC hardware and semiconductor industry trends. When she’s not writing, she’s building custom PCs and testing the latest peripherals.