Analysis Summary

Researchers from Microsoft’s Security Testing & Offensive Research (STORM) team have uncovered four critical zero-day vulnerabilities in the Windows Recovery Environment (WinRE) that fully bypass BitLocker encryption, allowing attackers with basic physical access to extract all protected data in minutes. These flaws—CVE-2025-48800, CVE-2025-48003, CVE-2025-48804, and CVE-2025-48818—undermine BitLocker’s core security model by exploiting weaknesses in trusted recovery mechanisms. Affecting Windows 10, Windows 11, and Windows Server editions, the vulnerabilities pose a severe risk to enterprise and consumer systems, especially mobile devices in unsecured environments.

Each vulnerability targets a different WinRE component. CVE-2025-48800 manipulates the Boot.sdi file’s WIM offset to bypass validation, enabling execution of malicious recovery images while maintaining a trusted appearance. CVE-2025-48003 abuses WinRE’s offline antivirus scanning feature by leveraging the tttracer.exe Time Travel Debugging utility to launch privileged command prompts with full disk access. CVE-2025-48804 exploits the trusted SetupPlatform.exe application by altering configuration files to register shortcuts that launch elevated prompts indefinitely. The most sophisticated, CVE-2025-48818, manipulates Boot Configuration Data in Push Button Reset (PBR) processes to load malicious ResetSession.xml files, effectively decrypting BitLocker volumes via the unprotected recovery partition.

These attacks are particularly dangerous because they occur in WinRE’s “Auto-Unlock” state, where the OS volume remains accessible without triggering BitLocker’s re-locking mechanisms. By simply booting into WinRE using combinations like Shift+F10, attackers can maintain persistent full-disk access and extract sensitive data, credentials, and configurations without detection. Microsoft has rated these vulnerabilities as “Important” with CVSS scores between high though experts suggest the real-world impact could be far greater given the ease of exploitation.

Microsoft has issued security patches in the July 2025 Patch Tuesday updates, addressing all affected versions. To mitigate risk, the company urges organizations to enable TPM+PIN authentication for pre-boot verification, implement the REVISE mitigation for anti-rollback protection, and ensure all July 2025 security updates are applied promptly. This incident highlights a critical security gap trusted recovery tools can themselves become high-impact attack vectors if improperly secured, challenging the reliability of full-disk encryption in physical-access attack scenarios.

Impact

• Gain Access
• Security Bypass
• Code Execution

Indicators of Compromise

CVE

• CVE-2025-48800

• CVE-2025-48003

• CVE-2025-48804

• CVE-2025-48818

Affected Vendors

Remediation

• Enable TPM+PIN authentication for pre-boot verification to require user input before WinRE can access encrypted volumes.
• Deploy the REVISE mitigation to enable anti-rollback protection and block downgrade attacks.
• Apply all July 2025 Patch Tuesday security updates for Windows 10, Windows 11, and Windows Server systems.
• Restrict or disable WinRE access in environments where physical security cannot be guaranteed.
• Regularly audit Boot Configuration Data (BCD) and WinRE partitions for unauthorized modifications.