CVE-2025-10010 identifies a security weakness in the CryptoPro Secure Disk for BitLocker product by CPSD IT SERVICES GMBH. This product enhances BitLocker by booting a small Linux-based OS to authenticate users before decrypting the Windows partition. The Linux OS and application files reside on a separate, unencrypted partition accessible to anyone with physical access to the device. The product uses multiple integrity checks, including the Linux kernel's Integrity Measurement Architecture (IMA), to detect tampering with system files. However, configuration files are not covered by IMA checks and can be modified without detection. An attacker with physical access can alter these configuration files to execute arbitrary code with root privileges during the boot process. This can enable planting persistent backdoors, compromising the confidentiality, integrity, and availability of the encrypted data once BitLocker unlocks the Windows partition. The vulnerability affects versions earlier than 7.6.6 and 7.7.1, with no patches currently linked. The CVSS 3.1 score of 6.8 reflects a medium severity due to the requirement of physical access but the high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments where physical security is weak or devices are exposed to untrusted individuals.

The vulnerability allows attackers with physical access to bypass critical integrity protections by modifying unencrypted configuration files, leading to arbitrary root code execution during the pre-boot authentication phase. This compromises the security guarantees of BitLocker encryption by enabling attackers to plant backdoors or malware that can access decrypted data once the system boots. The impact includes full compromise of data confidentiality, integrity, and availability on affected systems. Organizations relying on CryptoPro Secure Disk for BitLocker in high-security environments, such as government, finance, or critical infrastructure, face increased risk of data breaches and persistent compromise. The attack requires physical access but no authentication or user interaction, making it particularly dangerous in scenarios where devices are lost, stolen, or accessible to insiders. The lack of integrity checks on configuration files undermines the trustworthiness of the entire pre-boot authentication process.

1. Apply vendor patches or updates as soon as they become available for versions prior to 7.6.6 and 7.7.1 to ensure configuration files are included in integrity checks. 2. Implement strict physical security controls to prevent unauthorized access to devices, including secure storage, tamper-evident seals, and device tracking. 3. Use full disk encryption solutions that protect all partitions, including those containing pre-boot environments, or ensure the pre-boot partition is encrypted or integrity-protected. 4. Regularly audit and monitor device integrity using hardware-based security modules or trusted platform modules (TPMs) to detect unauthorized changes. 5. Employ endpoint detection and response (EDR) tools capable of identifying unusual boot-time behaviors or root-level code execution. 6. Educate users and administrators about the risks of physical access attacks and enforce policies for device handling and loss reporting. 7. Consider multi-factor authentication mechanisms that do not rely solely on pre-boot Linux OS authentication to reduce risk.