New BitLocker Bypass Tool Can Unlock Some Windows 11 PCs in Under Five Minutes

Security researchers at Intrinsec have released a proof-of-concept tool called BitUnlocker that reportedly bypasses BitLocker encryption on some Windows 11 systems in under five minutes. The research, first highlighted by Cyber Security News, demonstrates how attackers with physical access can exploit an older trusted Windows boot chain to retrieve BitLocker keys without triggering recovery prompts.

The attack relies on CVE-2025-48804, a vulnerability Microsoft patched in July 2025. Researchers say the flaw affects the Windows Recovery Environment and the way Windows handles deployment images during boot.

Attack abuses older trusted Windows boot components

According to the researchers, the attack requires direct physical access to the target device. Attackers reportedly boot the system from a USB flash drive containing an older, vulnerable Windows boot manager alongside a malicious payload.

The exploit takes advantage of the fact that Secure Boot still trusts the legacy “Windows PCA 2011” certificate chain on many systems. Because the boot manager remains properly signed, the TPM continues to treat the boot process as trusted and automatically releases BitLocker decryption keys.

As a result, Windows does not display a BitLocker recovery screen or warning message during the attack.

Why BitLocker protections fail in this scenario

BitLocker normally relies on TPM validation to detect unauthorized boot modifications. In this case, the malicious boot manager still appears legitimate because it carries a trusted Microsoft signature.

Researchers say this creates a dangerous gap where older vulnerable boot components remain valid even after security patches become available.

The proof-of-concept reportedly appends a malicious payload to a trusted Windows boot image while maintaining the trusted boot chain. Once the vulnerable boot environment loads successfully, attackers can access encrypted data without knowing the BitLocker password.

Some Windows systems remain protected

The attack does not work remotely and still requires hands-on access to the machine. Systems configured with TPM plus a pre-boot PIN remain protected because the attacker cannot automatically retrieve the required authentication factor.

Researchers also say systems migrated to the newer Windows UEFI CA 2023 certificate chain through Microsoft’s KB5025885 mitigation path are not vulnerable to this technique.

Organizations that fully revoked older boot certificates and updated Secure Boot trust chains also reduce exposure significantly.

Growing concerns around BitLocker and Windows security

The BitUnlocker release arrives as Windows users continue reporting BitLocker-related issues after recent updates. April Patch Tuesday updates reportedly triggered unexpected BitLocker recovery prompts on some systems, causing confusion for enterprise and consumer users alike.

Meanwhile, security researchers continue demonstrating new attack techniques involving AI-assisted phishing and authentication bypass attempts. Another recent proof-of-concept called GhostLock showed how attackers could abuse legitimate Windows file APIs to temporarily block access to SMB-shared files without administrator privileges.

While BitUnlocker remains a proof-of-concept tool rather than an active widespread threat, the research highlights ongoing concerns around legacy trust chains, Secure Boot compatibility, and physical device security in modern Windows environments.