Cybersecurity experts from Intrinsec have dropped a real bombshell on the tech world, demonstrating a working method for completely compromising Microsoft's proprietary encryption. Thanks to the newly created BitUnlocker software tool, attackers can decrypt and open BitLocker-locked disk volumes on modern Windows 11 computers in less than five minutes. All they need is physical access to the target workstation and a simple USB flash drive.
The basis of this serious breach is the so-called downgrade attack. In this attack, the hardware is forced to load an older, but vulnerable version of the system bootloader. The hacker trick takes advantage of the time window between the release of the official software patch from Microsoft and the actual revocation of the old digital security certificate.
Technically, the gap is based on the critical zero-day vulnerability CVE-2025-48804, which was discovered by Microsoft's internal Threat Detection and Response Team (STORM) and supposedly fixed during the regular updates of July 2025. The problem lies in the Windows Recovery Environment (WinRE), and specifically in the way it handles system files for deployment images (SDI - System Deployment Image). The bootloader checks the integrity of a legitimate WIM image, but an architectural flaw allows it to attach a second, hacker-modified image to the same database in parallel. The result is fatal: the system checks the original file, but actually loads the hacked WinRE, which directly launches the Command Prompt with the hard drive already unlocked and mounted.
Although Microsoft released a fix for the bootmgfw.efi file, the clean patch turned out to be completely useless in the real world. The reason is that the Secure Boot security protocol on the motherboard only checks whether the digital certificate of the file is valid, but does not care about its version number. The outdated Microsoft Windows PCA 2011 certificate, with which absolutely all boot files were signed before July 2025, still appears as completely legitimate in the Secure Boot databases of almost all computers in the world (except for machines with a clean installation of the operating system after the beginning of 2026). Microsoft cannot simply delete PCA 2011 in one fell swoop, as this would block billions of legitimate programs and drivers globally. Therefore, the old and vulnerable bootloader remains “green light” for Secure Boot.
The attack scenario itself is frighteningly simple. The attacker prepares a compromised configuration file (BCD) pointing to the fake SDI image and forces the computer to boot the old bootloader from a USB stick. The motherboard accepts it as a clean copy, and the Trusted Platform Module (TPM) chip innocently passes on the master key for decrypting the volume (VMK) without raising any alarm. The security measurement registers (PCR 7 and 11) remain unchanged and the operating system is passed on completely disarmed.
Currently, all computers where BitLocker relies solely on automatic recognition by the TPM chip without requiring a PIN code before booting are completely vulnerable to this attack. Only users who have configured two-factor authentication (TPM + PIN) are safe, as the chip will not share the keys without physically entering the code from the keyboard. Systems that have undergone a full migration to the new Windows UEFI CA 2023 certificate by installing the KB5025885 update package are also protected.
IT security experts in the corporate sector advise taking immediate protective measures. It is recommended to massively enable TPM + PIN authorization before booting and force the installation of KB5025885, which blocks the ability to roll back to older versions of the software. System administrators can use the free sigcheck tool to make sure that their bootloaders are signed with the modern CA 2023 certificate. For critical servers and workstations, where entering a PIN code on each reboot is impractical, the most radical and secure solution remains the complete removal of the WinRE recovery partition.