Multiple vulnerabilities in Microsoft Windows BitLocker
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-21210 CVE-2025-21214 |
| CWE-ID | CWE-636 CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Not Failing Securely ('Failing Open')
EUVDB-ID: #VU102699
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21210
CWE-ID:
CWE-636 - Not Failing Securely (\'Failing Open\')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Windows BitLocker. An attacker with physical access can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 21H2 10.0.19041.3920 - 11 24H2 10.0.26100.2894
Windows Server: 2008 R2 6.1.7601.27117 - 2025 10.0.26100.2605
CPE2.3- cpe:2.3:o:microsoft:windows:10:21H2_10.0.19041.3920:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19043.4529:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1147:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1149:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1151:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1165:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1200:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1263:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server:2008_R2:6.1.7601.27117:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-21210
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU102700
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21214
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Windows BitLocker. An attacker with physical access can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 21H2 10.0.19041.3920 - 11 24H2 10.0.26100.2894
Windows Server: 2008 R2 6.1.7601.27117 - 2025 10.0.26100.2605
CPE2.3- cpe:2.3:o:microsoft:windows:10:21H2_10.0.19041.3920:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19043.4529:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1147:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1149:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1151:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1165:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1200:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1263:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1266:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server:2008_R2:6.1.7601.27117:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server:2008_R2:6.1.7601.27170:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-21214
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
