BitUnlocker bypasses TPM-only Windows 11 BitLocker

Security researchers at Intrinsec released BitUnlocker, a tool bypassing Windows 11 BitLocker encryption in under five minutes. The attack uses a downgrade technique to access drives by exploiting a gap between software patching and certificate revocation. The issue is rooted in CVE-2025-48804, a vulnerability patched in July 2025, and the flaw resides within the Windows Recovery Environment and System Deployment Image mechanism.

The attack requires physical access to the target machine. With that access, an attacker can use a flash drive to present the boot manager with a legitimate Windows Imaging Format file for integrity checks while appending a malicious payload. The system verifies the clean file but then boots the attacker’s code, which grants access to the decrypted volume.

The downgrade path is central to the technique. Because Microsoft’s legacy Windows PCA 2011 certificate remains globally trusted by Secure Boot, attackers can load an older, vulnerable boot manager and have it authenticated by the system. That allows patched systems to remain exposed when older trusted components can still be used during the boot process.