The Security Testing & Offensive Research at Microsoft (STORM) team, at Black Hat USA 2025 and DEF CON 33, disclosed new vulnerabilities in the Windows Recovery Environment (WinRE) that can be exploited to bypass BitLocker and extract protected user data. This is concerning since the WinRE is one of the most essential Windows features, and it is accessible by holding the Shift key and clicking on the Restart option from the Windows logon screen.
For those who may not be familiar, BitLocker, referred to as Device Encryption (DE) on Windows, provides data‑at‑rest protection using Full Volume Encryption (FVE) and is one of the few Windows features that protects data against physical attackers.
Following BitLocker’s introduction, Microsoft introduced several changes to the WinRE to ensure that Windows recovery remained possible even when the BitLocker-encrypted Windows OS drive was inaccessible. These measures included:
- Relocating WinRE.wim from the encrypted OS volume to an unencrypted recovery partition for accessibility during failures,
- Implementing Trusted WIM Boot to verify the image against a known‑good hash before auto‑unlocking the OS volume, and
- Adding a volume re‑lock mechanism triggered by risky tools such as Command Prompt, requiring the BitLocker recovery key to restore access.
According to the team, once Trusted WIM Boot validation passes, WinRE is in its auto‑unlock state and parses files from unprotected partitions, specifically the EFI system partition and the recovery volume. They identified multiple vulnerabilities in WinRE and its boot procedure, adding that this attack surface was negligible before the BitLocker-induced WinRE changes.
To reduce the attack surface, Microsoft recommends enabling TPM with a PIN for pre‑boot authentication, limiting exposure solely to the TPM and thus lowering the reliance on auto‑unlock mechanisms. It has also advised enabling the REVISE mitigation (under KB5025885) to secure against downgrade attacks.
These vulnerabilities were tracked under IDs CVE-2025-48800, CVE-2025-48003, CVE-2025-48804, and CVE-2025-48818, and they were patched on Windows 11 and Windows 10 with the July 2025 Patch Tuesday. Since patches are cumulative, you can also download and install the latest August Patch for Windows 11 (KB5063878, KB5063875) and Windows 10 (KB5063709 / KB5063877 / KB5063871 / KB5063889) that were released yesterday.
You can read it in more detail here on the official blog post.