BitUnlocker is a proof-of-concept that demonstrates how BitLocker-encrypted disks on fully patched Windows 11 machines can be accessed in under 5 minutes by exploiting a boot manager downgrade attack. The vulnerability, documented as CVE-2025-48804, affects systems whose Secure Boot database still trusts the Microsoft Windows PCA 2011 certificate. The July 2025 patch fixesDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/garatc/BitUnlocker/llms.txt
Use this file to discover all available pages before exploring further.
bootmgfw.efi, but any pre-patch binary signed under PCA 2011 can be used to load a tampered WinRE environment — bypassing TPM-sealed BitLocker keys without a recovery password.
How It Works
Understand the downgrade attack chain, the SDI vulnerability, and why pre-patch boot managers expose the BitLocker VMK.
Prerequisites
Physical access, Secure Boot trust requirements, and the hardware/software you need before starting.
USB Boot (Recommended)
The simplest delivery method: format a FAT32 USB stick and trigger a UEFI boot in under 5 minutes.
PXE Boot
Network-based delivery using dnsmasq over Ethernet — useful when USB ports are restricted.
Build a Custom SDI
Use patch_sdi.py to append your own WinRE.wim to a stock boot.sdi and redirect the WIM blob pointer.
Mitigations
How to protect against this attack: TPM+PIN, CA 2023 migration, KB5025885, and PCR policy hardening.
Quick overview
Obtain boot_patched.sdi
Download the pre-built
boot_patched.sdi from the GitHub Releases page, or build your own from a stock boot.sdi and a modified WinRE.wim.Modify the BCD on the target
Open a WinRE command prompt on the target machine and use
bcdedit to redirect the ramdisk SDI path to \sdi\boot_patched.sdi. See Modify BCD for exact commands.