A new attack tool named “BitUnlocker” targeting BitLocker encryption on Windows 11 systems has been identified. According to reports, the tool demonstrates a practical downgrade attack that allows attackers with physical access to gain access to encrypted disks on patched Windows 11 devices within a short period of time.
According to the research, the attack is associated with the vulnerability tracked as CVE-2025-48804. The flaw was previously identified as one of the critical zero-day vulnerabilities addressed during Microsoft’s July 2025 “Patch Tuesday” security updates.
Researchers state that the vulnerability resides in the Windows Recovery Environment (WinRE) and involves the System Deployment Image (SDI) file mechanism. During the attack, the system verifies a legitimate WIM file, while the actual boot process is performed from a second attacker-modified WIM image. This modified WinRE image launches the cmd.exe process during system startup. At this stage, the BitLocker-protected volume is already decrypted and mounted by the system.
Microsoft released an updated bootmgfw.efi binary for supported systems through Windows Update in July 2025. However, researchers note that installing the patch alone does not completely eliminate the attack surface. The main factor enabling the BitUnlocker attack is not the absence of the patch, but the continued trust of the legacy signing certificate.
According to the findings, the attack does not require specialized hardware. Physical access, a USB device or a PXE boot server may be sufficient to perform the attack. The risk primarily affects systems configured with TPM-only BitLocker protection.
Devices configured with TPM + PIN are protected against this attack, as the system requires user interaction before releasing the encryption key. In addition, systems that have applied the KB5025885 update and migrated to the Windows UEFI CA 2023 certificate are considered protected against this downgrade attack scenario.
13 May 2026
12 May 2026
08 May 2026
07 May 2026
05 May 2026
01 May 2026
01 May 2026
30 April 2026
© 2011-2026 All rights reserved
