Multiple Zero-Day Exploits Discover That Bypass BitLocker, Exposing All Encrypted Data

Microsoft security researchers have uncovered four critical vulnerabilities in Windows BitLocker that could allow attackers with physical access to bypass the encryption system and extract sensitive data.

The findings, revealed in research dubbed “BitUnlocker,” demonstrate sophisticated attack methods targeting the Windows Recovery Environment (WinRE) to circumvent Microsoft’s flagship data protection technology.

Security Flaws Target Windows Recovery Environment

The vulnerabilities, discovered by Alon Leviev and Netanel Ben Simon from Microsoft’s Offensive Research & Security Engineering (MORSE) team, exploit weaknesses in how WinRE processes external files and configurations.

The researchers identified four distinct attack vectors that allow unauthorized access to BitLocker-protected systems:

• CVE-2025-48800 enables attackers to bypass WIM (Windows Imaging Format) validation by manipulating the Boot.sdi file’s offset pointer, causing the system to boot an untrusted recovery environment while validating a trusted one.
• CVE-2025-48003 exploits ReAgent.xml parsing to schedule malicious operations, including launching tttracer.exe ...