InfoSecBulletin Cybersecurity for mankind
Researchers revealed critical zero-day vulnerabilities that bypass Windows BitLocker encryption, enabling attackers with physical access to quickly extract data from encrypted devices.
Research by Alon Leviev and Netanel Ben Simon from Microsoft’s STORM team reveals critical flaws in the Windows Recovery Environment (WinRE) that threaten BitLocker’s security.
SoupDealer Malware Bypasses Every Sandbox, AV’s, XDR/EDR in Real-World Incidents
WinRAR Zero-Day and 7-Zip Vulnerability actively exploited
Biometric Clone: ₹5.58 crore loss, 251 accounts in 17 districts
Google Confirms Data Breach: Notifying Affected Users
28,000+ Microsoft Exchange Servers Exposed Online for CVE-2025-53786
Google alerts of cloud storage bucket hijacking attacks
Multiple 0-days to Bypass BitLocker and Extract Data
Amazon ECS Internal Protocol Exploited to Steal AWS Credentials
7 Tools for Automated Server Patching
Germany’s top court rules police may use spyware solely for serious crimes
Four Critical Attack Vectors Discovered:
The researchers found four new vulnerabilities labeled CVE-2025-48800, CVE-2025-48003, CVE-2025-48804, and CVE-2025-48818, each affecting parts of the Windows recovery system.
Boot.sdi Parsing Vulnerability (CVE-2025-48800): This attack alters the WIM offset in the Boot.sdi file to bypass trusted WIM checks. It lets attackers replace legitimate recovery images with malicious ones, enabling untrusted code to run while seeming to preserve system integrity.
ReAgent.xml Exploitation (CVE-2025-48003): The vulnerability exploits WinRE’s offline scanning feature meant for antivirus tasks. Researchers showed that by using tttracer.exe, a valid Time Travel Debugging tool, they could open command prompt sessions with complete access to encrypted volumes.
Trusted App Manipulation (CVE-2025-48804): This exploit targets SetupPlatform.exe, a trusted application that stays registered after Windows updates. It manipulates configuration files to create an infinite time window, allowing attackers to register keyboard shortcuts that open privileged command prompts.
BCD Configuration Attack (CVE-2025-48818): The most advanced vulnerability takes advantage of Push Button Reset (PBR) by altering Boot Configuration Data to misdirect WinRE tasks. Attackers can make the system decrypt BitLocker volumes by crafting harmful ResetSession.xml files on the unprotected recovery partition.
The BlackHat2025 presentation revealed that attacks can be performed by anyone with basic physical access, simply by booting into WinRE with key combinations like Shift+F10. Researchers showed they could fully extract data, including sensitive files, credentials, and system settings from BitLocker-protected drives.
Mitigations:
Microsoft fixed vulnerabilities in July 2025’s Patch Tuesday updates by providing security patches for all affected Windows versions. The company urges organizations to implement the following countermeasures right away:
Enable TPM+PIN authentication for pre-boot security, which stops attacks by requiring user authentication before WinRE accesses encrypted volumes. Use the REVISE method for anti-rollback protection to avoid downgrade attacks. Install all July 2025 security updates via standard Windows Update.
