CVE-2025-48800 & Friends Enable BitLocker Bypass via Windows Recovery Environment

Published Date: August 11, 2025
Category: ShadowOpsIntel
Share:

Microsoft’s Offensive Research & Security Engineering (MORSE) team disclosed four zero-day vulnerabilities in the Windows Recovery Environment (WinRE) that allowed physical bypass of BitLocker encryption. Dubbed “BitUnlocker”, the attack chain exploited weak validation and parsing logic in WinRE to execute arbitrary commands, boot untrusted recovery images, and decrypt BitLocker-protected drives without authentication.

Severity Level: Moderate

Vulnerability Details

CVE IDDescriptionCVSS Score
CVE-2025-48800Bypasses Windows Imaging Format (WIM) validation by manipulating Boot.sdi offset pointers to load an untrusted recovery environment under the guise of a trusted one.6.8
CVE-2025-48003Exploits ReAgent.xml parsing flaws to schedule malicious actions (e.g., executing tttracer.exe for SYSTEM-level shell access).6.8
CVE-2025-48804Abuses WinRE app trust validation by leveraging SetupPlatform.exe to gain persistent command-line access via keyboard shortcuts.6.8
CVE-2025-48818Manipulates Boot Configuration Data (BCD) to redirect WinRE’s target OS location, enabling Push Button Reset to decrypt BitLocker volumes.6.8

The vulnerabilities stem from insufficient validation of external configuration files and trust assumptions within the Windows Recovery Environment. WinRE processes certain files (Boot.sdi, ReAgent.xml, BCD, and registered executables) from unprotected storage volumes, allowing malicious tampering that bypasses BitLocker’s authentication flow.

The vulnerabilities affect: Windows 10, Windows 11, and Windows Server (2016, 2019, 2022, 2025).

Exploitation Of The Vulnerability

  • Physical Access – Attacker gains physical control over a target machine.
  • Injection of Malicious Artifacts – Modifies Boot.sdi, ReAgent.xml, BCD, or deploys malicious executables on accessible volumes.
  • WinRE Boot Manipulation – Forces system into recovery mode, where crafted files are parsed without robust integrity checks.
  • Privilege Escalation & Bypass – Loads untrusted recovery environment or executes SYSTEM-level commands.
  • BitLocker Circumvention – Gains direct access to the encrypted volume without user authentication.

Recommendations

  1. Immediate Patch Deployment – Apply July 2025 updates to all affected systems.
  2. Enable TPM+PIN Pre-Boot Authentication – Adds a hardware-backed credential requirement before system boot.
  3. Activate REVISE Mitigation – Blocks rollback to vulnerable recovery images.

Source:

  • https://gbhackers.com/researchers-discover-multiple-zero-day-exploits-that-bypass-bitlocker/
  • https://i.blackhat.com/BH-USA-25/Presentations/US-25-Leviev-BitUnlocker-Leveraging-Windows-Recovery-To-Extract-BitLocker-Secrets.pdf

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.