Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Critical BitLocker Vulnerabilities: Microsoft Patches Two Security Holes

Redazione RHC : 11 September 2025 07:50

Two significant elevation of privilege vulnerabilities affecting Windows BitLocker encryption have been addressed by Microsoft. These flaws, identified as CVE-2025-54911 and CVE-2025-54912, have been classified as high severity. These vulnerabilities were disclosed on September 9, 2025.

Both CVE-2025-54911 and CVE-2025-54912 are classified as “Use-After-Free ” vulnerabilities, a common and dangerous type of memory corruption bug. This weakness, cataloged as CWE-416, occurs when a program continues to use a pointer to a memory location after that memory has been freed or deallocated.

The discovery of CVE-2025-54912 has been attributed to Hussein Alrubaye, in collaboration with Microsoft, demonstrating a collaborative effort between the company and external security researchers to identify and address critical security issues.

The vulnerabilities could allow an authorized attacker to gain full SYSTEM privileges on a computer, bypassing the security protocols BitLocker is designed to enforce.

In this scenario, a An attacker could exploit these bugs to execute arbitrary code, resulting in a complete compromise of the system. The presence of two distinct bugs in BitLocker highlights the ongoing challenges of maintaining memory safety in complex software.

Microsoft emphasized that exploitation is considered “less likely,” and at the time of disclosure, the vulnerabilities had not been publicly described or seen exploited in specific attacks.

According to CVSS metrics provided by Microsoft, an attack requires the adversary to have privileges on the target system. Furthermore, for the exploit to be successful, some form of user interaction is required, meaning that an attacker would have to trick an authorized user into performing a specific action.

In response to the discovery, Microsoft fixed the vulnerabilities in the September 2025 Patch Tuesday update. The company urged users and administrators to promptly apply the latest updates to protect their systems from potential attacks.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli