Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/garatc/BitUnlocker/llms.txt

Use this file to discover all available pages before exploring further.

BitUnlocker is a proof-of-concept implementation built entirely on original research by Microsoft STORM. The discovery of CVE-2025-48804, the analysis of the SDI vulnerability in bootmgfw.efi, and the technique of leveraging Windows Recovery to extract BitLocker secrets were all documented and disclosed by the researchers listed below. This repository exists to demonstrate the practical impact of their findings in a controlled, reproducible way for the security research community.

Original research

The vulnerability and exploitation technique were first published by Netanel Ben Simon and Alon Leviev of Microsoft STORM.

BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets

Authors: Netanel Ben Simon and Alon Leviev — Microsoft STORMPublication: Microsoft Security Blog (techcommunity.microsoft.com)CVE: CVE-2025-48804The blog post describes how a pre-patch bootmgfw.efi binary signed under the Microsoft Windows PCA 2011 certificate can be used to trigger Windows Recovery in a way that causes the TPM to unseal the BitLocker VMK and mount the encrypted OS volume in a controlled WinRE environment — bypassing BitLocker on fully patched Windows 11 systems in under five minutes with physical access.

CVE details

The table below summarizes the key attributes of the vulnerability as documented in the original research and associated advisory.
FieldDetail
CVE IDCVE-2025-48804
Affected componentWindows Boot Manager (bootmgfw.efi)
Fixed inJuly 2025 patch
Attack vectorPhysical access — downgrade delivered via USB boot or PXE
PrerequisitesTPM-only BitLocker (PCR 7 + 11); Secure Boot still trusting Microsoft Windows PCA 2011
ImpactBypasses BitLocker full-volume encryption; OS volume decrypted and mounted without the recovery key

Repository

This proof-of-concept implementation is maintained by garatc and is available at https://github.com/garatc/BitUnlocker.
FieldDetail
Authorgaratc
LicenseMIT
Repositoryhttps://github.com/garatc/BitUnlocker
This repository and all its contents are provided strictly for authorized security testing and research purposes. Only use this tool on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. The author assumes no liability for any misuse or damage resulting from the use of this material.
This project is licensed under the MIT License. See the LICENSE file in the repository root for the full license text and terms of use.

Build docs developers (and LLMs) love