Security researchers have disclosed a significant vulnerability in Microsoft BitLocker, the full-disk encryption feature in Windows, which could allow attackers with physical access to extract sensitive data from encrypted drives.
Microsoft patched the vulnerability, tracked as CVE-2025-21210, and dubbed "CrashXTS," in a January 2025 security update.
The attack, which works against BitLocker configurations using TPM-only or TPM-plus network key protections, exploits a weakness in handling crash dumps and hibernation files. By corrupting specific registry values, attackers can prevent BitLocker's crash dump filter driver (dumpfve.sys) from loading, causing the system to write unencrypted hibernation data to the disk.
What makes this attack particularly concerning is its practicality in real-world scenarios. Unlike previous attacks against full-disk encryption requiring precise file location knowledge, CrashXTS succeeds through controlled randomization of encrypted data.
The researcher demonstrated that attackers can reliably locate and manipulate the necessary registry structures by observing encrypted disk changes across four states.
The vulnerability affects BitLocker configurations that allow "seamless" boot-up to the Windows login screen, including enterprise environments where BitLocker is used to protect against unauthorized data access by low-privileged users. In these scenarios, a single instance of physical access could be sufficient to execute the attack.
Microsoft's fix, implemented in the fvevol.sys driver, now verifies the presence of the dumpfve.sys driver in the DumpFilters registry value. As a security measure, the system immediately crashes if the driver is missing. Two undocumented registry settings have been introduced to disable this check if necessary.
The researcher, who reported the vulnerability to Microsoft in August 2024, also demonstrated that similar randomization attacks might affect other full-disk encryption solutions, including those using wide-block ciphers. This suggests that the security implications of randomization attacks deserve broader attention from the security community.
Users are strongly advised to update their Windows systems to receive the security patch and maintain the physical security of their devices, as the attack requires direct hardware access to be successful.