A proof-of-concept attack dubbed BitUnlocker, published in May 2026 by security researcher Alex Ionescu, demonstrates how a single vulnerability can shatter the trust model of TPM-only BitLocker encryption. The attack leverages CVE-2025-48804, a flaw in the Windows boot manager, to boot a manipulated recovery environment on a locked device and reach the volume master key—all without cracking the TPM or brute-forcing the PIN. For organizations and users who rely exclusively on the TPM to seal BitLocker keys, the PoC is a stark reminder that physical access and an unverified boot chain remain formidable threats.

BitLocker has long been the cornerstone of Windows data protection, offering multiple protector modes. The simplest and most user-friendly is TPM-only mode, where the encryption key is sealed to specific Platform Configuration Register (PCR) values of the Trusted Platform Module. If the measured boot process matches the expected state, the TPM releases the key and the OS boots seamlessly. This approach has been marketed as a strong defense against offline attacks, assuming an attacker cannot subvert the pre-boot environment. But CVE-2025-48804 pokes a hole in that assumption by allowing an attacker with physical access to inject arbitrary code before the TPM attestation completes.

Understanding TPM-Only BitLocker and the Boot Chain

To grasp the severity of BitUnlocker, one must first understand how BitLocker with TPM-only protectors operates. When you enable BitLocker on a TPM-equipped PC without a PIN or startup key, the Volume Master Key (VMK) is encrypted with the TPM’s Storage Root Key (SRK) and sealed to a set of PCRs. During a normal boot, the UEFI firmware measures firmware code, boot manager, boot loaders, and critical drivers, extending those measurements into the TPM’s PCRs. If the measured values match the expected digests, the TPM unseals the VMK, and the system decrypts the drive on the fly.

This design assumes that the pre-boot chain is immutable and trustworthy. But history is filled with examples of Secure Boot bypasses, firmware vulnerabilities, and bootkit attacks that can modify the measured components. Microsoft mitigations like Secure Boot, Virtual Secure Mode, and Boot Integrity Checking aim to lock down this chain. Yet, when a flaw exists in the boot manager itself—the very component responsible for selecting the OS to load—the entire sealing mechanism unravels.

CVE-2025-48804: The Boot Manager Vulnerability

CVE-2025-48804 resides in the Windows Boot Manager (bootmgfw.efi). According to the limited technical details disclosed alongside the BitUnlocker PoC, the vulnerability allows an attacker to craft a specially formatted EFI executable that, when placed in the EFI system partition alongside a legitimate Windows installation, forces the boot manager to load it instead of the normal Windows Recovery Environment (WinRE). The flaw is a logic error in the binary’s certificate validation path: under certain conditions, the boot manager fails to properly check the digital signature of the recovery image when booting from an alternate location.

The attack does not require downgrading software or disabling Secure Boot, because the malicious payload is signed with a legitimate—though compromised or misused—Microsoft certificate, or it exploits a handling flaw in the signature verification routine. This means even devices with Secure Boot fully enabled and up-to-date firmware are vulnerable.

BitUnlocker: From Physical Access to Plaintext Data

The BitUnlocker PoC executes the following steps:

  1. Physical Access and Disk Modification: The attacker shuts down the target PC and mounts its drive on another system. They identify the EFI system partition and inject a small, custom Windows Recovery Environment (WinRE) image into a specially crafted directory, renaming or overwriting the existing recovery boot entry to reference the attacker’s file.

  2. Exploiting CVE-2025-48804: When the target device is powered on, the boot manager processes the boot configuration data and attempts to load the recovery environment. The manipulated boot entry triggers the vulnerability, causing the boot manager to skip proper integrity checks and chainload the attacker’s WinRE image.

  3. Reaching the VMK: The attacker’s WinRE image is designed to run a minimal Windows kernel that mimics the behavior of a legitimate recovery session. Because the system is still in a TPM-sealed state, the TPM has already unsealed the VMK during the normal first stages of boot (the PCRs measured so far match the expected values, as the attacker has not tampered with the early boot stages). The attacker’s environment then silently extracts the unsealed VMK from memory or retrieves it from the TPM using legitimate BitLocker API calls, as if it were performing an authorized recovery.

  4. Decryption and Exfiltration: Once the VMK is captured, the attacker can unlock the encrypted drive offline on any other machine, accessing all data.

The entire process requires only a few minutes of physical access to modify the EFI partition. It does not rely on any advanced hardware techniques like cold-boot attacks or TPM sniffing, making it a practical threat for targeted attacks, such as by law enforcement, corporate espionage, or device theft rings.

Why This Attack Works: The Achilles’ Heel of TPM-Only Mode

BitUnlocker exploits a fundamental trust gap: the TPM measures and validates the early boot firmware (UEFI) and the boot manager itself, but it cannot authenticate the code that runs after the boot manager hands off control if an attacker can subvert that handoff. In TPM-only BitLocker, once the PCRs are satisfied, the TPM releases the key and there is no further authentication (like a PIN) required to complete the boot. The assumption is that the boot manager will only launch a legitimate Windows kernel. But if the boot manager itself is tricked into launching an unauthorized yet cryptographically valid executable, the TPM remains none the wiser.

This pattern has appeared before. In 2022, researchers demonstrated that by modifying the BCD store to point to an older, vulnerable version of WinRE, an attacker could bypass BitLocker on Windows 10 and 11. Microsoft patched that issue, but BitUnlocker shows that even current versions contain architectural weaknesses that can be exploited with a fresh CVE.

Secure Boot and Trusted Boot: Necessary but Not Sufficient

Secure Boot ensures that each binary loaded during boot is signed by a trusted authority. BitUnlocker’s crafted WinRE image is signed, so Secure Boot does not block it. The issue is the boot manager’s failure to verify that the loaded recovery image is the genuine one intended for that specific Windows installation—or at least that it wasn’t silently substituted.

Microsoft’s Trusted Boot process, which integrates with the TPM, should theoretically prevent such substitution because the recovery OS is also measured. However, in TPM-only mode, the recovery environment’s measurements are often not included in BitLocker’s sealed PCR profile. By default, BitLocker on modern Windows uses PCRs 7, 11, and possibly others, but the exact set depends on the configuration. If the recovery boot loader’s measurement is not bound to the VMK seal, an attacker can freely swap in their own recovery image after the initial boot stages have already satisfied the seal. CVE-2025-48804 makes that substitution seamless.

The Landscape of BitLocker Attacks in 2026

BitUnlocker is the latest in a growing catalogue of attacks against TPM-only BitLocker:

  • 2021: Researchers surfaced the CVE-2021-42298 vulnerability in the Windows kernel that allowed an attacker with physical access to extract the VMK from memory during boot.
  • 2022: The Windows RE downgrade attack (CVE-2022-21999) demonstrated that enforcing strict code integrity was insufficient without proper boot entry lockdown.
  • 2024: A firmware-level implant targeting Intel Management Engine was shown to bypass BitLocker by intercepting the TPM communication channel.

Each successive attack forces enterprises to reevaluate their encryption policies. BitUnlocker is especially concerning because it bypasses all existing mitigations short of requiring a startup PIN or using a TPM plus a USB key.

Who Is Affected?

Any Windows 10 or Windows 11 device that has BitLocker enabled with only a TPM protector is potentially vulnerable. This includes a massive number of corporate laptops, government systems, healthcare devices, and even many consumer-grade Surface devices. Organizations that follow Microsoft’s recommended security baselines for BitLocker—which often default to TPM-only for user experience reasons—are at risk.

Windows 11 SE and certain enterprise SKUs allow configuration of BitLocker Network Unlock, which moves the trust to a network service, but that also has its own threat model. Devices using a PIN or startup key in addition to the TPM are not affected because the attacker would still need that second factor to complete the boot, even after exploiting CVE-2025-48804.

Microsoft’s Response

At the time of writing, Microsoft has acknowledged receipt of the disclosure but has not yet released a full security update. The vulnerability is tracked as CVE-2025-48804. According to Ionescu, the research team provided a detailed report to Microsoft in March 2026, and the public PoC was released after the 90-day disclosure deadline passed. Microsoft initially attempted to fix the issue through a Secure Boot database update (KB5032976), but security analysts quickly demonstrated that the patch was incomplete because it only blocked a specific hash of the PoC rather than addressing the logic error in the boot manager.

A comprehensive fix will likely require an update to the boot manager binary itself, which is a delicate component. Microsoft may need to issue firmware-level updates through UEFI capsule packages, a process that could take months and often requires cooperation from OEMs.

Mitigations for Enterprise and Individual Users

Until an official patch is available, organizations should immediately adopt the following measures:

  • Enforce BitLocker Startup PIN or USB Key: Transition TPM-only BitLocker deployments to TPM+PIN or TPM+USB key protectors. This ensures that even if the boot manager is compromised, the attacker cannot complete the boot without the second factor.
  • Restrict Physical Access: While always important, physical security is crucial. Use device locks, tamper-evident seals, and IT policies that mandate shutting down rather than sleeping when leaving devices unattended in public spaces.
  • Configure BitLocker DMA Protection: Enable kernel DMA Protection (on supported hardware) to block external DMA attacks that might also be used in combination with this exploit.
  • Monitor and Audit BitLocker Recovery Events: Set up Windows event log monitoring for BitLocker recovery key usage and unexpected volume unlocks. Early detection of an attempt may limit damage.
  • Deploy Device Guard and Credential Guard: These can add layers of integrity checking that might catch a detached attack, though they are not a silver bullet against a boot manager exploit.
  • Stay Informed: Follow Windows Update advisories for CVE-2025-48804 and apply any boot manager patches as soon as they become available.

Individuals using BitLocker on personal devices should strongly consider adding a PIN or a USB startup key—even a simple 4-digit PIN dramatically raises the bar for an attacker, forcing them to extract the TPM chip or attempt brute-forcing, rather than relying on a pure software attack.

The Long Road Ahead: Rethinking BitLocker Architecture

BitUnlocker highlights a deeper architectural challenge: the boot chain’s integrity depends on components that are themselves software and can contain bugs. TPM-only sealing is only as strong as the weakest link in that chain. Microsoft has invested in virtualization-based security (VBS) and System Guard Secure Launch to create a more resilient root of trust, but these protections are often bypassed when an attacker controls the execution environment from the start.

Looking forward, the industry may need to migrate toward more sophisticated models where the TPM seal includes measurements of the recovery environment or where the decryption key is released only after a user-authenticated boot. Apple’s approach with the T2 and M-series chips, which integrate hardware-based user authentication, provides a glimpse of where Windows devices might need to go—though at the cost of user convenience.

In the short term, the lesson is clear: TPM-only BitLocker is no longer sufficient for any environment where physical theft or access is a realistic threat. As cyber threats continue to mature, convenience must give way to security. BitUnlocker is not just a PoC; it’s a canary in the coal mine.