Xcitium Logo

BitUnlocker Bypasses BitLocker: A New Windows 11 Downgrade Attack

BitUnlocker is a newly revealed downgrade attack on Windows 11’s BitLocker encryption, letting attackers with physical access unlock drives in under five minutes.

Identify BitLocker Weaknesses Before Impact
  • May 13, 2026

BitLocker Under Siege: What is BitUnlocker?

BitUnlocker represents a new attack technique that allows attackers to disable the BitLocker disk encryption of Microsoft’s operating system Windows 11. The exploit relies on a vulnerability (CVE-2025-48804), which was addressed by Microsoft in July 2025.

From a practical perspective, a user with physical access to a computer will take only a few minutes to decrypt the volume of a computer using an exploit against Windows Recovery Environment (WinRE) boot images.

However, instead of exploiting unpatched code, the vulnerability exists because WinRE uses a signing certificate that has been compromised years ago. Namely, the Windows Secure Boot component still treats the old PCA 2011 signing certificate as trusted.

How the Downgrade Attack Works

The attack chain abuses WinRE’s boot validation process. When the boot manager loads a trusted recovery WIM file from the System Deployment Image (SDI), BitUnlocker also appends a second, malicious WIM to the SDI’s table. Secure Boot still validates the original WIM, but then the system boots the injected, attacker-controlled image instead. That modified recovery image immediately drops to a command shell with the BitLocker volume already unlocked and mounted. In effect, the attacker has gained an unlocked environment on the target machine without needing the user’s key.

Important stages in the attack chain involve:

  • Modified Boot Configuration Data (BCD): The attacker prepares a BCD with references pointing to an SDI file which will contain a malicious WIM.
  • Legacy Bootloader: The bootmgfw.efi which is vulnerable to the patch will be loaded from a USB stick or a PXE server using Microsoft’s previous PCA 2011 certificate.
  • Normal Boot Process: The computer is booted using a USB stick which has an old version of the bootloader installed on it. The measurements passed because of the trusted signature and thus Secure Boot allows it.
  • Silent Decryption: TPM believes the measurements are correct for that particular old certificate; thus, the TPM reveals the BitLocker Volume Master Key, decrypting the operating system volumes. In summary, this leads to the WinRE command prompt with full access to the hard drive.
BitUnlocker
CRITICAL EXPOSURE
Root Vulnerability
PCA 2011 Certificate Downgrade
Secure Boot retains trust for legacy signatures, allowing modern protection bypass via unpatched WinRE.
Targeted Platform
Windows 11
Access Vector
Physical / USB
Decryption Window
05M
Zero Knowledge Required
Exploitation Chain
01. BCD INJECTION
Malicious WIM append
Attacker appends unauthorized recovery images to the SDI table.
02. TRUST HIJACK
Legacy PCA 2011 Validation
The system validates the older bootloader as a trusted entity.
03. VMK LEAK
Silent Volume Decryption
TPM releases keys to the modified shell without user passwords.
PRJ: BITPIXIE_V2
SEC_LEVEL: RED
XCITIUM THREAT LABS © 2026

Who is At Risk?

However, not all machines will be equally vulnerable. The question here is whether Secure Boot still relies on the legacy PCA 2011 certificate. Typically, any machine running Windows 11 (22H2) and having not been updated to the new UEFI CA 2023 certificate before early 2026 will be susceptible. In particular:

  • TPM-Only BitLocker: Any laptops/PCs utilizing BitLocker with TPM encryption alone and no PIN will be completely susceptible to an attack if Secure Boot retains the legacy PCA 2011 certificate, enabling the TPM to automatically decrypt the hard drive as part of the manipulated boot process.
  • TPM + PIN BitLocker: Devices requiring a pre-boot PIN are safe since the TPM won’t give away the decryption key without entering the PIN. Thus, the attacker won’t be able to carry out the attack successfully.
  • UEFI Certificate Update: Machines running Microsoft KB5025885 (updated boot manager to CA 2023) and freshly installed Windows 11 after 2026 will not be affected since Secure Boot will simply refuse to launch the legacy bootloader.

Note that this threat isn’t directly related to missing patches but rather a misconfigured security measure.

Real-World Impact

Using BitUnlocker, a hacker will be able to perform the entire operation of unlocking a stolen or left-alone Windows 11 laptop within 5 minutes. All the necessary information for completing the entire process is publicly available in a GitHub repository. Highlights include:

  • Fast Attack: It is possible to complete the attack and get the decrypted shell within five minutes.
  • Simple Requirements: Physical access to the machine with the ability to boot via USB or PXE.
  • Full Bypass: No user intervention or BitLocker password needed the volume is decrypted in WinRE.

This comes after previous research efforts referred to as “bitpixie.”

Key Takeaways

  • The Legacy Certificate is the Vulnerable Component: The Secure Boot component relies on the legacy 2011 certificate before 2025 for most machines, allowing the attacker to install a vulnerable bootloader.
  • A Patch is Not Enough: Apply Microsoft’s July 2025 patch, but also move to the UEFI CA 2023 certificate (KB5025885), or add extra preboot authentication.
  • A TPM+PIN Prevents This Attack: Requiring a PIN for BitLocker disables the TPM, preventing the exploit.
  • Move Quickly: Now that there is a public proof-of-concept, IT departments must act fast.

Conclusion: When BitLocker Trust Fails Before Windows Starts

BitUnlocker shows why encryption is only as strong as the boot chain that protects it. This attack does not brute-force BitLocker or steal the recovery key. It abuses legacy trust in Microsoft’s PCA 2011 certificate, loads a vulnerable boot path, and silently unlocks the drive through WinRE in minutes.

Why This Threat Matters

This is a physical-access attack, but the impact is immediate.

  • A stolen or unattended Windows 11 laptop can be unlocked in under five minutes.
  • TPM-only BitLocker devices are fully exposed when Secure Boot still trusts the legacy PCA 2011 certificate.
  • The attacker does not need the user’s password, BitLocker key, or interaction.
  • TPM plus PIN prevents the attack because the key is not released without pre-boot authentication.

Why Organizations Stay Exposed

Many devices still rely on assumptions that were safe only when the boot chain was trustworthy. Legacy certificates, TPM-only configurations, and delayed UEFI CA 2023 rollout leave encrypted laptops vulnerable to downgrade abuse.

Where Xcitium Changes the Outcome

For organizations using Xcitium Vulnerability Assessment, this exposure should be visible before a stolen device becomes a data breach.

  • Devices still relying on legacy Secure Boot trust can be identified for remediation.
  • Missing KB5025885 and UEFI CA 2023 readiness gaps can be prioritized.
  • TPM-only BitLocker configurations can be flagged for stronger pre-boot protection.

If you have Xcitium in place, this attack does not succeed the same way, because the vulnerable configuration is identified and corrected before physical access turns into decrypted data.

Secure the Boot Chain Before Trust Is Abused

BitLocker protects data at rest only when Secure Boot, TPM policy, and recovery configuration work together. Move to UEFI CA 2023, apply Microsoft guidance, require TPM plus PIN for high-risk systems, and treat boot-chain hygiene as a data protection control.

Like what you see? Share with a friend.

Related Resources
CISA Warns of Actively Exploited Zero-Day Gogs Vulnerability Allowing Remote Code Execution
CISA Warns of Actively Exploited Zero-Day Gogs Vulnerability Allowing Remote Code Execution

CISA Warns of Zero-Day, High-Severity Gogs Vulnerability That Enables Remote Code Execution and Is Being Actively Exploited in the Wild....

LexisNexis Data Breach: What You Need to Know About the Latest Cyberattack
LexisNexis Data Breach: What You Need to Know About the Latest Cyberattack

Understanding the LexisNexis Data Breach LexisNexis, a leading legal and risk management solution provider, has confirmed a major data breach...

Microsoft Releases Emergency KB5085516 Update to Fix Sign-In Failures
Microsoft Releases Emergency KB5085516 Update to Fix Sign-In Failures

Microsoft has been facing a technical challenge in recent times, which has affected the daily activities of many users. This...

Docker CVE-2026-34040: AuthZ Bypass Enables Host Compromise
Docker CVE-2026-34040: AuthZ Bypass Enables Host Compromise

High-severity flaw found in Docker Engine (CVE-2026-34040), where attackers may bypass container authorization and escape the system on the host...

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo