MEDIUM 5.3

CVE-2026-45655: Windows BitLocker Physical Bypass Vulnerability – MEDIUM Risk

Windows BitLocker, Microsoft's full-disk encryption feature, contains a flaw that allows an attacker with physical access to a device to bypass its protection and access encrypted data. The vulnerability affects multiple versions of Windows 10, Windows 11, and Windows Server. While an attacker must have hands-on access to the machine, the risk is significant because BitLocker is often the last defense against data theft when a device is lost, stolen, or accessed by an insider. This is not a remote attack; it requires physical presence.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-693
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45655 is a protection mechanism failure (CWE-693) in Windows BitLocker's cryptographic enforcement. The vulnerability allows an unauthenticated attacker to bypass a core security feature via a physical attack vector with low complexity. The CVSS 3.1 score of 5.3 (MEDIUM, AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) reflects high confidentiality impact across system boundaries, but requires physical proximity and permits no integrity or availability compromise. The flaw is present across Windows 10 releases (1607, 1809, 21H2, 22H2), all current Windows 11 releases (23H2, 24H2, 25H2, 26H1), and server editions from 2012 through 2025.

Business impact

For organizations relying on BitLocker to protect sensitive data on laptops, desktops, or servers, this vulnerability elevates the risk of confidential data exposure if devices are physically compromised. The impact is particularly acute for organizations in regulated industries (finance, healthcare, government) where encrypted device loss or theft was previously considered a contained risk. Insider threats and supply-chain scenarios where devices spend time in unsecured facilities become more dangerous. However, the requirement for physical access limits the attack surface; remote threats and mass compromise are not possible through this flaw alone.

Affected systems

The vulnerability affects a wide range of Windows platforms: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025. Any organization running BitLocker on these systems for data protection is potentially exposed. Air-gapped or isolated networks do not reduce risk since the attack is physical, not network-based.

Exploitability

Exploitability requires physical access to a powered-off or running device—an attacker cannot execute this remotely. The attack complexity is low once physical access is obtained, meaning no special tools or advanced technical knowledge beyond the physical attack method itself is required. To date, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active in-the-wild exploitation has not been documented at publication time. However, the low complexity of exploitation post-physical-access means that once technical details are widely understood, the risk of opportunistic exploitation increases.

Remediation

Microsoft has released security updates addressing this vulnerability across affected Windows versions. Organizations should apply the relevant patches immediately to all BitLocker-enabled systems. Verify the specific patch version for your Windows edition against the Microsoft Security Update Guide. Until patches are applied, compensating controls—such as BIOS/UEFI password protection, physical access controls, and secure boot enforcement—can help reduce exposure. Additionally, enabling Secure Boot and TPM-based BitLocker unlock (rather than password-only unlock) adds defense-in-depth.

Patch guidance

Patches are available via Windows Update and the Microsoft Security Update Guide (portal.msrc.microsoft.com). For Windows 10 and 11, enable automatic updates or manually check Windows Update for security updates rated Critical or Important. For Windows Server, follow your organization's patch management schedule but prioritize this update given the breadth of affected versions. Verify that your patched version number matches Microsoft's advisory before marking systems as remediated. Test patches in a non-production environment first, particularly for servers, to confirm BitLocker functionality remains intact post-patching.

Detection guidance

Monitor for signs of unauthorized physical device access, including unusual BIOS/UEFI settings changes or unexpected hard-drive activity patterns on devices with BitLocker enabled. Check BitLocker status and recovery key recovery attempts via event logs (Windows event ID 4697 and BitLocker-specific events). Review physical access logs for data centers and secure facilities where servers are housed. Consider implementing hardware-based intrusion detection on critical systems. End-user training on device security and reporting lost or accessed devices is also valuable, as physical attacks often occur undetected.

Why prioritize this

Although the CVSS score is MEDIUM (5.3) and physical access is required, prioritization should account for three factors: (1) BitLocker is a last-line-of-defense control, so its compromise directly enables data exfiltration; (2) the affected asset base is enormous (all modern Windows versions and servers); and (3) organizations in security-sensitive industries may face regulatory or contractual pressure to patch encryption flaws rapidly. For enterprises with strong physical security, this is a lower-urgency patch; for those with laptops in the field or less controlled environments, it warrants faster deployment.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects high confidentiality impact (C:H) but low attack complexity and no integrity or availability impact. The physical attack vector (AV:P) constrains the overall score, as remote exploitation is impossible. However, context matters: the breadth of affected versions, the criticality of BitLocker in defense-in-depth strategies, and the low exploitation complexity once physical access is gained suggest that risk assessment should factor in organizational context (device mobility, physical security posture) beyond the raw CVSS number.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. This vulnerability requires physical access to the device. It cannot be exploited over a network, and remote attackers cannot trigger it. The attack vector designation (AV:P) in the CVSS score reflects this requirement.

Does this affect BitLocker-to-Go (portable USB drives)?

The vulnerability specifically targets BitLocker protection on the OS drive and system volumes. While the data provided does not detail BitLocker-to-Go coverage, you should verify with Microsoft's security advisory whether portable encrypted media are affected or if mitigation strategies differ.

What should we do if we cannot patch immediately?

Implement layered physical security controls: require BIOS/UEFI passwords, enforce Secure Boot, use TPM-based unlock instead of password-only unlock, and restrict physical access to devices. Additionally, monitor for physical tampering or unauthorized device access and ensure BitLocker recovery keys are securely stored offline.

Is this in the CISA KEV catalog?

As of the published date, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog, indicating no documented active exploitation in the wild at that time. However, you should monitor CISA KEV updates regularly, as status can change as threats evolve.

This analysis is based on data current as of June 2026. Patch version numbers and Microsoft advisory details should be verified directly against the Microsoft Security Update Guide and vendor advisories before deploying patches. The assessment does not include real-world exploitation data beyond the CISA KEV status at publication. Organizations should supplement this analysis with threat intelligence relevant to their industry and threat model. Physical security posture, device inventory, and regulatory requirements should inform prioritization decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).