Microsoft's original STORM search
In July 2025, the Microsoft STORM team released a detailed article This describes a complete attack chain against BitLocker, specifically targeting WinRE. The principle is as follows: the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM. However, when a second WIM is added to the SDI with a modified blob table, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (controlled by the attacker). This second WIM contains a WinRE image infected with `cmd.exe`, which executes with the decrypted BitLocker volume.
Why is the fix not enough?
The fix is real, and updated machines did indeed receive a patched boot manager via Windows Update in July 2025, whether it was signed PCA 2011 or CA 2023. The problem lies elsewhere: Secure Boot only verifies the signing certificate of a binary, not its version. A vulnerable `bootmgfw.efi` from before July 2025, signed with the PCA 2011 certificate, is perfectly valid from the point of view of Secure Boot, just as much as the patched version.
However, the old PCA 2011 certificate was not revoked en masse, because it is a a real operational challenge for Microsoft. It is still present in the Secure Boot database of almost all machines in use (excluding new Windows installations). And as long as it is not revoked, even an old, vulnerable boot manager can be loaded without triggering an alert.
The attack in practice
Directly inspired by the work of Microsoft STORM and by our previous experience with bitpixie, We have developed a PoC that exploits this vulnerability, including on up-to-date systems (but which have therefore not deployed the other mitigations).
The principle is as follows:
- The attacker has physical access to the target workstation
- It prepares a modified BCD file that redirects WinRE input to a trapped SDI file
- Via USB or PXE (for example), it serves an old, vulnerable boot manager signed in PCA 2011, the modified BCD, and the SDI containing the compromised WinRE image.
- The target machine boots, loads the old boot manager, which in turn loads the compromised WinRE without detecting the manipulation.
- The TPM releases the BitLocker key normally — PCR measures 7 and 11 remain valid because PCA 2011 is recognized by Secure Boot
- A terminal opens with the OS volume decrypted and mounted.
The entire operation takes a few minutes, without requiring complex equipment.
How can we protect ourselves from it?
As we mentioned in our previous article on bitpixie, The main recommendation remains the same as for most BitLocker attacks: enable a PIN at startup. This is the only measure that reliably protects against these attacks.
Beyond the PIN, Microsoft recommends Migrate the boot manager to the CA 2023 certificate and revoke the old PCA 2011 certificate via the procedure described in the KB5025885, This also enables new boot manager version tracking via SVN (Secure Version Number). However, this migration is cumbersome for users, which explains why it is still far from being widespread.
Do you want to secure your computers against BitUnlocker and other physical attacks?
Individual measures (BitLocker PIN, Secure Boot certificate upgrades, etc.) are not always sufficient to secure a large fleet.
Intrinsec, a pure-play cybersecurity company for 30 years and PASSI-certified by ANSSI, offers several concrete services to support you:
– Cybersecurity audit : Workstation security assessment, Bitlocker and TPM configuration, Windows workstation hardening. Learn more
– Penetration testing (Pentest) : simulation of physical attacks (TPM-sniffing, BitUnlocker, etc.) on your workstations and servers. Learn more
– Support for achieving compliance : alignment of BitLocker policies, UEFI, patches and certificate management with Microsoft recommendations (KB5025885, CA 2023, etc.). Learn more
– SOC / CERT Intrinsec : detection of attack attempts and response in case of an incident related to encryption bypass. Learn more
