Microsoft added drive encryption to Windows with BitLocker, which is also intended to withstand physical attacks, thus intercepting cases where devices are stolen, for example. However, vulnerabilities are repeatedly becoming known, for instance, through reading out the secrets in the computer's TPM. Another currently widely functioning variant relies on the Windows Recovery Environment (WinRE).
Microsoft itself most recently documented such attacks via WinRE in May 2025 with “BitUnlocker” – and released updates that are actually supposed to protect against them. IT researchers from Intrinsec have now discovered a way to circumvent the protection once again, again using WinRE. For the practical relevance of the attacks, it is important to know: Physical access is necessary to circumvent BitLocker encryption.
BitUnlocker Attacks
According to the IT researchers, the attack chain presented by Microsoft starts with the boot manager loading the System Deployment Image (SDI) and the WIM file (Windows Image Format) referenced within it, and checking the integrity of the WIM. By adding another WIM in the blob table, the boot manager checks the first WIM file but loads the second, which is controlled by attackers, without checking it. The second WIM contains a WinRE image that can start a cmd.exe file, which, when executed, provides access to the decrypted BitLocker drive. BitLocker was unlocked at startup in the widely used auto-unlock mode through the passed check (CVE-2025-48804, CVSS 6.8, risk “medium”).
