Researchers from security firm Intrinsec have released a tool named BitUnlocker that can bypass the Windows 11 BitLocker disk encryption relying solely on TPM protection within 5 minutes. The tool leverages a downgrade attack by loading older, still-trusted components, exploiting the time gap between system software updates and certificate revocation to ultimately access the protected disk. This attack is related to the CVE-2025-48804 vulnerability, which exists in the Windows Recovery Environment and system deployment image processing mechanisms. Microsoft released a patch to fix this vulnerability in July 2025. Researchers noted that even after the vulnerability is patched, it may still be bypassed through downgrade paths as long as old certificates are not revoked by the system. BitUnlocker requires physical access to the device. Attackers can load a legally formatted but malicious Windows image file via a USB drive during the boot phase, exploiting the 'fallback' space in the certificate chain to make the system load a vulnerable older version of the boot manager. At this point, the TPM will verify the boot measurements according to the normal process and unseal the BitLocker volume master key based on the still-trusted PCA 2011 certificate comparison, all without triggering any alerts. For systems configured with TPM plus a pre-boot PIN, or devices that have completed the KB5025885 update and migrated the Secure Boot trust chain to the new Windows UEFI CA 2023 digital certificate, this downgrade path can be blocked. Researchers recommend that users and enterprises promptly verify system update status and enable additional protection measures such as pre-boot PINs to reduce the risk of physical attacks.