A newly BitUnlocker released tool has demonstrated a practical downgrade attack against Microsoft’s BitLocker encryption, enabling attackers with physical access to decrypt protected volumes on fully patched Windows 11 machines in under five minutes without any specialized hardware.
The attack, rooted in CVE-2025-48804, exploits a critical gap that persists even after patching: an unrevoked signing certificate that keeps older, vulnerable boot managers trusted by Secure Boot.
CVE-2025-48804 is one of four critical zero-day vulnerabilities discovered by Microsoft’s Security Testing & Offensive Research (STORM) team and patched during July 2025’s Patch Tuesday.
According to researchers at Intrinsec, the vulnerability resides in the Windows Recovery Environment (WinRE) and involves manipulation of the System Deployment Image (SDI) file mechanism.
When the Windows boot manager loads a legitimate WIM (Windows Imaging Format) file referenced by an SDI for integrity verification, it simultaneously permits a second, attacker-controlled WIM to be appended to the SDI’s blob table.
BitUnlocker Downgrade Attack on Windows 11
The boot manager verifies the first legitimate WIM but actually boots from the second, which contains a WinRE image modified to launch cmd.exe with the BitLocker volume already decrypted and mounted.
Microsoft shipped a patched bootmgfw.efi binary via Windows Update in July 2025, but the patch alone does not close the attack surface. The root weakness is not a missing fix; it is an unrevoked signing certificate.
Secure Boot validates a binary’s signing certificate, not its version number. The legacy Microsoft Windows PCA 2011 certificate, used to sign all boot managers before the July 2025 fix, remains trusted in Secure Boot databases on virtually all machines currently in use, unless a fresh Windows installation was performed after early 2026.
This means a pre-patch bootmgfw.efi, signed under PCA 2011, is still considered completely valid by Secure Boot despite being vulnerable.
Mass revocation of PCA 2011 poses a significant operational challenge for Microsoft, as it would affect a wide range of legitimate signed binaries across the ecosystem.
Building on the original STORM research and prior work on the “bitpixie” downgrade exploit, Intrinsec researchers developed a working proof-of-concept that chains these weaknesses into a sub-five-minute attack. The attacker requires only physical access to the target workstation and a USB drive or PXE boot server.
The attacker prepares a modified BCD (Boot Configuration Data) file that points to a tampered SDI and serves an older, vulnerable PCA 2011-signed boot manager via USB or PXE. The target machine loads the pre-patch boot manager, which normally passes Secure Boot validation.
Because PCR measurements 7 and 11 remain valid under the trusted PCA 2011 certificate, the TPM releases the BitLocker Volume Master Key without triggering any alerts, resulting in a command prompt with the OS volume fully decrypted and mounted.
Systems running TPM-only BitLocker without a PIN are fully vulnerable. The PoC is publicly available on GitHub, raising the urgency for enterprise defenders to act immediately.
Mitigations
Security teams should prioritize the following actions:
- Enable TPM + PIN pre-boot authentication — prevents the TPM from releasing the VMK during any manipulated boot sequence and is the single most effective control
- Deploy KB5025885 — migrates boot manager signing to the newer Windows UEFI CA 2023 certificate and introduces revocation controls that eliminate the downgrade path
- Verify boot manager certificate — mount the EFI partition and use
sigcheckto confirm the activebootmgfw.efiis signed under CA 2023, not legacy PCA 2011 - Remove the WinRE recovery partition on high-security workloads where pre-boot authentication cannot be enforced, minimizing the exploitable attack surface.
Machines configured with TPM + PIN and systems that have completed the KB5025885 migration are protected against this downgrade path.
No Comment! Be the first one.