A critical vulnerability, CVE-2025-48818, has been discovered in Microsoft’s BitLocker Device Encryption, enabling attackers with physical access to bypass encryption through a Time-of-Check Time-of-Use (TOCTOU) race condition. This flaw, classified under CWE-367, arises from a timing gap between the system’s verification of access permissions and the actual use of encrypted resources. It affects Windows 10 (1607, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), and Windows Server editions (2016, 2022, 2025) across all architectures (32-bit, x64, ARM64). The vulnerability holds a CVSS 3.1 score, indicating medium severity, with high impact on confidentiality, integrity, and availability.

The attack does not require authentication or user interaction and involves an attacker exploiting the precise moment when BitLocker verifies disk encryption before granting access. During this short window, the attacker manipulates the authentication flow, effectively bypassing full-disk encryption and accessing sensitive data such as user credentials, corporate files, and system configurations. This highlights a severe security feature bypass that renders BitLocker ineffective in protecting data at rest under certain physical threat scenarios.

The vulnerability was responsibly disclosed by Microsoft’s Offensive Research & Security Engineering (MORSE) team, reinforcing the value of internal security research. Microsoft has promptly addressed the issue by releasing specific patches (KB5062552, KB5062553, KB5062554, KB5062560) for all impacted platforms. Updated build versions, such as Windows 10 22H2 (10.0.19045.6093), Windows 11 23H2 (10.0.22631.5624), and Windows Server 2025 (10.0.26100.4652), include mitigations that close the race condition and secure the authentication process.

Organizations are strongly advised to immediately deploy the security updates and enforce strict physical access controls on devices utilizing BitLocker. While remote exploitation is not possible, systems exposed to public or shared environments are at greater risk. In parallel, regular security audits, system monitoring, and hardware access restrictions can help detect and prevent unauthorized tampering. Until full patch deployment is achieved, enterprises remain vulnerable to sophisticated physical attacks that compromise BitLocker’s core protection.