A security flaw in Windows 11’s BitLocker implementation allows attackers with physical access to bypass encryption using a simple downgrade trick. The tool, called BitUnlocker, exploits a gap between software updates and certificate trust, effectively disabling the TPM-only protection layer in minutes.
- Physical access required
- Exploits legacy Windows PCA 2011 certificate
- Affects systems without pre-boot PIN or KB5025885 update
- No impact on TPM+PIN or UEFI CA 2023 configurations
The attack hinges on a vulnerability patched in July 2025 but still exposed through older boot managers. An attacker inserts a flash drive containing a legitimate Windows Imaging Format file, appends malicious code, and tricks the system into loading it without triggering integrity checks. The TPM, configured to trust the legacy PCA 2011 certificate, verifies the downgraded environment as valid and releases the BitLocker key.
That’s the upside—here’s the catch: systems using a TPM alongside a pre-boot PIN are immune, as is any machine that has applied the KB5025885 update migrating to the newer UEFI CA 2023 certificate. For IT teams managing endpoints, this means verifying both hardware-based protections and ensuring all updates are current.
The discovery underscores how legacy trust chains can remain a vector even after patches are released. No software-only mitigations exist; the fix lies in hardware configuration or firmware updates. Where things stand now: users with TPM-only setups should enable PINs, while administrators must audit deployment images against the latest security baselines.
