Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Windows' 'rescue' feature becomes a door for hackers to steal data
At Black Hat USA 2025 and DEF CON 33, Microsoft's Security Testing & Offensive Research (STORM) team disclosed a series of new vulnerabilities in the Windows Recovery Environment (WinRE). Attackers can exploit these vulnerabilities to bypass BitLocker and steal protected data.
What's worrying is that WinRE is one of the core features of Windows, easily accessible by holding down the Shift key and selecting Restart right from the Windows login screen.
What is BitLocker?
BitLocker (also known as Device Encryption – DE) is a full-disk encryption feature of Windows, which helps protect data from the risk of unauthorized access, especially in case the device falls into the wrong hands.
After BitLocker was released, Microsoft changed WinRE so that it could still recover the system even if the operating system drive was encrypted. The changes included:
- Move the WinRE.wim file from the encrypted operating system partition to the unencrypted recovery partition so that it can be accessed in case of a crash.
- Implement Trusted WIM Boot to verify the WinRE file before automatically unlocking the OS drive.
- Add a mechanism to re-lock the drive if the user opens 'dangerous' tools like Command Prompt, requiring re-entering the BitLocker recovery key to access.
However, the STORM team said that after Trusted WIM Boot passes the authentication step, WinRE will be in an auto-unlock state, allowing data to be read from unprotected partitions, such as the EFI partition or the recovery partition. This process inadvertently opens up many new vulnerabilities.
To prevent this, Microsoft recommends that users: Enable TPM with PIN for pre-boot authentication, reducing dependence on auto-unlock mechanism. At the same time, activate REVISE (KB5025885) to prevent downgrade attacks.
These vulnerabilities are currently tracked as CVE-2025-48800, CVE-2025-48003, CVE-2025-48804, and CVE-2025-48818, and have been patched on Windows 11 and Windows 10 with the July 2025 Patch Tuesday. Since patches are cumulative, you can also download and install the latest August Patch for Windows 11 (KB5063878, KB5063875) and Windows 10 (KB5063709/KB5063877/KB5063871/KB5063889) that were recently released.
Micah SotoYou should read it
- How to remove updates from Windows Recovery Environment (WinRE)
- How to check if the computer has serious Windows 10 vulnerabilities
- Team Kali Linux teaches free online pentest on Twitch
- How to fix 'dead screen black' error
- Microsoft expert discovered a series of serious code execution errors in IoT, OT devices
- Windows 7 users need to install Microsoft patches immediately to fix BlueKeep security errors
- What is the staging environment?
- Detecting zero-day vulnerabilities in Internet Explorer helps hackers gain control of the computer
May be interested
- How to create Windows PE rescue disk
rescue disks based on pe are a customized windows recovery environment that comes with computer repair tools. this article will guide you how to create windows pe rescue disk offline. - 6 addresses to save professional datadata rescue addresses in hanoi and ho chi minh city help users retrieve important data.
- How to create versatile USB Boot, USB boot rescuehow to create versatile usb boot, usb boot rescue. when using the computer, you will face a number of risks that can occur at any time such as win errors, data corruption; or when you want to reinstall windows, create ghost files, etc. in those cases, a usb stick
- The 'magic' box can open all kinds of smart door locks in 3 secondsthis 'miracle' box is a homemade chinese product, used by a woman named wang to unlock 8 smart door brands equipped with fingerprint or nfc security technology on the spot. in super short time.
- 8 Sophisticated Ways Hackers Use to Steal Your Security Answersif you think your security questions are a reliable backup to your password, you might be in for a surprise. hackers have clever ways to figure out those answers, and it's often easier than you think.
- Hackers can modify Safari on macOS to steal user dataapple was notified of this security flaw six months ago but has not yet patched it.
- It turns out this is how hackers attack your computer through the main screenthe video clearly shows how he entered the user's computer through the main screen, creating a vulnerability on the computer to steal personal information. in this way, the hacker can even change the amount of money in the user's bank account.
- Detecting botnets that can easily bypass Windows Defender and steal crypto wallet datathe sharp increase in the value of cryptocurrency transactions in the past few years has led to the trend of global online systems being attacked by botnets that steal virtual currency.
- How to install Rescue Cut on the computerwith the rescue cut version for computers, you will not be interrupted the rescue as on the rescue cut mobile version because of battery capacity.
- 7 ways hackers steal your identity on social networkssocial networking is a great way to connect with strangers, but it also makes it easier for others to collect your personal information.
Technology story
- What is Microsoft Copilot AI? How to use it effectively?
- Windows 11: Chế độ tối (dark mode) cuối cùng cũng được nâng cấp đáng giá
- Microsoft Store on Windows 11/10 no longer allows turning off app updates
- Microsoft quietly disables important feature, affecting performance of many high-end AMD Ryzen CPUs
- Turn 2D photos into 3D objects with Copilot's new feature
- WinRAR releases emergency patch for serious security vulnerability, users need to update immediately
What is Microsoft Copilot AI? How to use it effectively?
Windows 11: Chế độ tối (dark mode) cuối cùng cũng được nâng cấp đáng giá
Microsoft Store on Windows 11/10 no longer allows turning off app updates
Microsoft quietly disables important feature, affecting performance of many high-end AMD Ryzen CPUs
Turn 2D photos into 3D objects with Copilot's new feature
WinRAR releases emergency patch for serious security vulnerability, users need to update immediately