Microsoft’s Offensive Research & Security Engineering (MORSE) team disclosed four zero-day vulnerabilities in the Windows Recovery Environment (WinRE) that allowed physical bypass of BitLocker encryption. Dubbed “BitUnlocker”, the attack chain exploited weak validation and parsing logic in WinRE to execute arbitrary commands, boot untrusted recovery images, and decrypt BitLocker-protected drives without authentication.
Severity Level: Moderate
Vulnerability Details
| CVE ID | Description | CVSS Score |
| CVE-2025-48800 | Bypasses Windows Imaging Format (WIM) validation by manipulating Boot.sdi offset pointers to load an untrusted recovery environment under the guise of a trusted one. | 6.8 |
| CVE-2025-48003 | Exploits ReAgent.xml parsing flaws to schedule malicious actions (e.g., executing tttracer.exe for SYSTEM-level shell access). | 6.8 |
| CVE-2025-48804 | Abuses WinRE app trust validation by leveraging SetupPlatform.exe to gain persistent command-line access via keyboard shortcuts. | 6.8 |
| CVE-2025-48818 | Manipulates Boot Configuration Data (BCD) to redirect WinRE’s target OS location, enabling Push Button Reset to decrypt BitLocker volumes. | 6.8 |
The vulnerabilities stem from insufficient validation of external configuration files and trust assumptions within the Windows Recovery Environment. WinRE processes certain files (Boot.sdi, ReAgent.xml, BCD, and registered executables) from unprotected storage volumes, allowing malicious tampering that bypasses BitLocker’s authentication flow.
The vulnerabilities affect: Windows 10, Windows 11, and Windows Server (2016, 2019, 2022, 2025).
Exploitation Of The Vulnerability
- Physical Access – Attacker gains physical control over a target machine.
- Injection of Malicious Artifacts – Modifies Boot.sdi, ReAgent.xml, BCD, or deploys malicious executables on accessible volumes.
- WinRE Boot Manipulation – Forces system into recovery mode, where crafted files are parsed without robust integrity checks.
- Privilege Escalation & Bypass – Loads untrusted recovery environment or executes SYSTEM-level commands.
- BitLocker Circumvention – Gains direct access to the encrypted volume without user authentication.
Recommendations
- Immediate Patch Deployment – Apply July 2025 updates to all affected systems.
- Enable TPM+PIN Pre-Boot Authentication – Adds a hardware-backed credential requirement before system boot.
- Activate REVISE Mitigation – Blocks rollback to vulnerable recovery images.
Source:
- https://gbhackers.com/researchers-discover-multiple-zero-day-exploits-that-bypass-bitlocker/
- https://i.blackhat.com/BH-USA-25/Presentations/US-25-Leviev-BitUnlocker-Leveraging-Windows-Recovery-To-Extract-BitLocker-Secrets.pdf
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.