Cybersecurity Threat Advisory: BitUnlocker attack

A newly published proof of concept (PoC) tool called BitUnlocker demonstrates a dangerous downgrade attack that can bypass Microsoft’s BitLocker full‑disk encryption on Windows 11 devices. Continue reading this Cybersecurity Threat Advisory to minimize your risk.

What is the threat?

BitUnlocker exploits CVE‑2025‑48804, a vulnerability in Windows BitLocker that allows attackers to combine untrusted data with trusted boot components and bypass security protections using only physical access. The technique chains a boot manager downgrade with a modified Windows Recovery Environment (WinRE) to silently decrypt BitLocker‑protected drives. By leveraging legacy boot chain trust, attackers can gain full access to encrypted data in under five minutes without triggering recovery prompts.

Why is it noteworthy?

This threat is noteworthy because BitLocker relies on TPM validation to detect unauthorized boot changes. In this case, however, the malicious boot manager still appears legitimate because it carries a trusted Microsoft signature. This creates a dangerous gap where older, vulnerable boot components remain trusted even after security patches are applied.

The vulnerability affects TPM‑only and PCR 7+11 BitLocker configurations, which represent the most common enterprise defaults, exposing a broad range of corporate laptops and workstations. The exploit leverages the fact that Secure Boot continues to trust the legacy “Windows PCA 2011” certificate chain on many systems. Because the boot manager remains properly signed, the TPM treats the boot process as trusted and automatically releases BitLocker decryption keys. As a result, Windows does not trigger a recovery screen or warning during the attack.

What are the recommendations?