BitUnlocker is a proof-of-concept implementation built entirely on original research by Microsoft STORM. The discovery of CVE-2025-48804, the analysis of the SDI vulnerability inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/garatc/BitUnlocker/llms.txt
Use this file to discover all available pages before exploring further.
bootmgfw.efi, and the technique of leveraging Windows Recovery to extract BitLocker secrets were all documented and disclosed by the researchers listed below. This repository exists to demonstrate the practical impact of their findings in a controlled, reproducible way for the security research community.
Original research
The vulnerability and exploitation technique were first published by Netanel Ben Simon and Alon Leviev of Microsoft STORM.BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets
Authors: Netanel Ben Simon and Alon Leviev — Microsoft STORMPublication: Microsoft Security Blog (techcommunity.microsoft.com)CVE: CVE-2025-48804The blog post describes how a pre-patch
bootmgfw.efi binary signed under the Microsoft Windows PCA 2011 certificate can be used to trigger Windows Recovery in a way that causes the TPM to unseal the BitLocker VMK and mount the encrypted OS volume in a controlled WinRE environment — bypassing BitLocker on fully patched Windows 11 systems in under five minutes with physical access.CVE details
The table below summarizes the key attributes of the vulnerability as documented in the original research and associated advisory.| Field | Detail |
|---|---|
| CVE ID | CVE-2025-48804 |
| Affected component | Windows Boot Manager (bootmgfw.efi) |
| Fixed in | July 2025 patch |
| Attack vector | Physical access — downgrade delivered via USB boot or PXE |
| Prerequisites | TPM-only BitLocker (PCR 7 + 11); Secure Boot still trusting Microsoft Windows PCA 2011 |
| Impact | Bypasses BitLocker full-volume encryption; OS volume decrypted and mounted without the recovery key |
Repository
This proof-of-concept implementation is maintained by garatc and is available at https://github.com/garatc/BitUnlocker.| Field | Detail |
|---|---|
| Author | garatc |
| License | MIT |
| Repository | https://github.com/garatc/BitUnlocker |
This project is licensed under the MIT License. See the
LICENSE file in the repository root for the full license text and terms of use.